"Top Document Isolation" mode

content/browser/frame_host/render_frame_host_manager.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/frame_host/render_frame_host_manager.h"
 
 #include <stddef.h>
 
 #include <algorithm>
 #include <utility>
@@ skipping 1273 matching lines @@
     // we need to set the site first, otherwise after a restore none of the
     // pages would share renderers in process-per-site.
     //
     // The embedder can request some urls never to be assigned to SiteInstance
     // through the ShouldAssignSiteForURL() content client method, so that
     // renderers created for particular chrome urls (e.g. the chrome-native://
     // scheme) can be reused for subsequent navigations in the same WebContents.
     // See http://crbug.com/386542.
     if (dest_is_restore &&
         GetContentClient()->browser()->ShouldAssignSiteForURL(dest_url)) {
+      // TODO(nick): What needs to happen so that TDI works with session
+      // restore?
       current_instance_impl->SetSite(dest_url);
     }
 
+    // TODO(nick): Hopefully this whole block is not relevant for TDI mode?
     return SiteInstanceDescriptor(current_instance_impl);
   }
 
   // Otherwise, only create a new SiteInstance for a cross-process navigation.
 
   // TODO(creis): Once we intercept links and script-based navigations, we
   // will be able to enforce that all entries in a SiteInstance actually have
   // the same site, and it will be safe to compare the URL against the
   // SiteInstance's site, as follows:
   // const GURL& current_url = current_instance_impl->site();
@@ skipping 34 matching lines @@
   if (SiteInstance::IsSameWebSite(browser_context, current_url, dest_url) &&
       !current_instance_impl->HasWrongProcessForURL(dest_url)) {
     return SiteInstanceDescriptor(current_instance_impl);
   }
 
   // Start the new renderer in a new SiteInstance, but in the current
   // BrowsingInstance.  It is important to immediately give this new
   // SiteInstance to a RenderViewHost (if it is different than our current
   // SiteInstance), so that it is ref counted.  This will happen in
   // CreateRenderView.
-  return SiteInstanceDescriptor(browser_context, dest_url, true);
+  SiteInstanceDescriptor result(browser_context, dest_url, true);
+
+  if (!current_instance_impl->HasRelatedSiteInstance(dest_url) &&
+      !frame_tree_node_->IsMainFrame() &&
+      SiteIsolationPolicy::UseDedicatedProcessForTopDocument() &&
+      !SiteInstanceImpl::DoesSiteRequireDedicatedProcess(browser_context,
+                                                         dest_url)) {
+    result.is_for_third_party_subframes = true;
+  }
+
+  return result;
 }
 
 bool RenderFrameHostManager::IsRendererTransferNeededForNavigation(
     RenderFrameHostImpl* rfh,
     const GURL& dest_url) {
   // A transfer is not needed if the current SiteInstance doesn't yet have a
   // site.  This is the case for tests that use NavigateToURL.
   if (!rfh->GetSiteInstance()->HasSite())
     return false;
 
@@ skipping 11 matching lines @@
 
   BrowserContext* context = rfh->GetSiteInstance()->GetBrowserContext();
   GURL effective_url = SiteInstanceImpl::GetEffectiveURL(context, dest_url);
 
   // TODO(nasko, nick): These following --site-per-process checks are
   // overly simplistic. Update them to match all the cases
   // considered by DetermineSiteInstanceForURL.
   if (SiteInstance::IsSameWebSite(rfh->GetSiteInstance()->GetBrowserContext(),
                                   rfh->GetSiteInstance()->GetSiteURL(),
                                   dest_url)) {
-    return false;  // The same site, no transition needed.
+    // The same site, no transition needed for security purposes, and we must
+    // keep the same SiteInstance for correctness of synchronous scripting.
+    return false;
   }
 
   // The sites differ. If either one requires a dedicated process,
   // then a transfer is needed.
-  return rfh->GetSiteInstance()->RequiresDedicatedProcess() ||
-         SiteInstanceImpl::DoesSiteRequireDedicatedProcess(context,
-                                                           effective_url);
+  if (rfh->GetSiteInstance()->RequiresDedicatedProcess() ||
+      SiteInstanceImpl::DoesSiteRequireDedicatedProcess(context,
+                                                        effective_url)) {
+    return true;
+  }
+
+  // If this site already exists in the browsing instance, we should transfer to
+  // the existing process for that site.
+  // TODO(nick):
+  //   - Should we only switch back if the existing site instance has the
+  //     dedicated bit set?
+  if (rfh->GetSiteInstance()->HasRelatedSiteInstance(effective_url)) {

[Charlie Reis, 2016/03/18 21:15:13]

Note: this affects --isolate-extensions as well.  Repro steps:
1) Page A opens a new window.
2) Navigate new window to B (new process, same BrowsingInstance).
3) Page A adds a subframe to B.

We create an OOPIF for it in --isolate-extensions, even though there's no
extensions involved.  We should avoid that.

+    if (rfh->GetSiteInstance()->GetRelatedSiteInstance(effective_url) !=
+        rfh->GetSiteInstance()) {
+      return true;
+    }
+  }
+  return false;
 }
 
 SiteInstance* RenderFrameHostManager::ConvertToSiteInstance(
     const SiteInstanceDescriptor& descriptor,
     SiteInstance* candidate_instance) {
-  SiteInstance* current_instance = render_frame_host_->GetSiteInstance();
+  SiteInstanceImpl* current_instance = render_frame_host_->GetSiteInstance();
 
   // Note: If the |candidate_instance| matches the descriptor, it will already
   // be set to |descriptor.existing_site_instance|.
   if (descriptor.existing_site_instance)
     return descriptor.existing_site_instance;
 
   // Note: If the |candidate_instance| matches the descriptor,
   // GetRelatedSiteInstance will return it.
-  if (descriptor.new_is_related_to_current)
-    return current_instance->GetRelatedSiteInstance(descriptor.new_site_url);
+  if (descriptor.new_is_related_to_current) {
+    if (descriptor.is_for_third_party_subframes)
+      return current_instance->GetRelatedSiteInstanceForThirdPartySubframes(
+          descriptor.new_site_url);
+    else
+      return current_instance->GetRelatedSiteInstance(descriptor.new_site_url);
+  }
 
   // At this point we know an unrelated site instance must be returned. First
   // check if the candidate matches.
   if (candidate_instance &&
       !current_instance->IsRelatedSiteInstance(candidate_instance) &&
       candidate_instance->GetSiteURL() == descriptor.new_site_url) {
     return candidate_instance;
   }
 
   // Otherwise return a newly created one.
@@ skipping 1016 matching lines @@
   } else if (pending_render_frame_host_) {
     send_msg(pending_render_frame_host_.get(),
              pending_render_frame_host_->GetRoutingID(), msg);
   }
 
   msg->set_routing_id(render_frame_host_->GetRoutingID());
   render_frame_host_->Send(msg);
 }
 
 }  // namespace content