Move existing kSitePerProcess checks to a policy-oracle object

content/browser/child_process_security_policy_impl.cc

Index: content/browser/child_process_security_policy_impl.cc
diff --git a/content/browser/child_process_security_policy_impl.cc b/content/browser/child_process_security_policy_impl.cc
index 58bf3e36ed02f95b3597094821260202ee853dee..412afe9996c3f8ee5f66809830578439d6744c68 100644
--- a/content/browser/child_process_security_policy_impl.cc
+++ b/content/browser/child_process_security_policy_impl.cc
@@ -12,11 +12,11 @@
 #include "base/strings/string_util.h"
 #include "content/browser/plugin_process_host.h"
 #include "content/browser/site_instance_impl.h"
+#include "content/common/site_isolation_policy.h"
 #include "content/public/browser/child_process_data.h"
 #include "content/public/browser/content_browser_client.h"
 #include "content/public/browser/render_process_host.h"
 #include "content/public/common/bindings_policy.h"
-#include "content/public/common/content_switches.h"
 #include "content/public/common/url_constants.h"
 #include "net/base/filename_util.h"
 #include "net/url_request/url_request.h"
@@ -566,11 +566,11 @@ bool ChildProcessSecurityPolicyImpl::CanLoadPage(int child_id,
                                                  ResourceType resource_type) {
   // If --site-per-process flag is passed, we should enforce
   // stronger security restrictions on page navigation.
-  if (base::CommandLine::ForCurrentProcess()->HasSwitch(
-          switches::kSitePerProcess) &&
+  if (SiteIsolationPolicy::DoesSiteRequireDedicatedProcess(url) &&
       IsResourceTypeFrame(resource_type)) {
     // TODO(nasko): Do the proper check for site-per-process, once
     // out-of-process iframes is ready to go.
+    // TODO(nick): Can we trust |resource_type| here?
     return true;
   }
   return true;