PlzNavigate: Enforce frame-src CSP on the browser.

content/browser/frame_host/render_frame_host_manager.cc

Index: content/browser/frame_host/render_frame_host_manager.cc
diff --git a/content/browser/frame_host/render_frame_host_manager.cc b/content/browser/frame_host/render_frame_host_manager.cc
index db0cf760cfc4157ccbf39a35869061d2f6cf3c87..7b8ac94f7a1c56f3148e1815ffab84fd6d44b381 100644
--- a/content/browser/frame_host/render_frame_host_manager.cc
+++ b/content/browser/frame_host/render_frame_host_manager.cc
@@ -40,6 +40,7 @@
 #include "content/common/frame_owner_properties.h"
 #include "content/common/site_isolation_policy.h"
 #include "content/common/view_messages.h"
+#include "content/public/browser/browser_context.h"
 #include "content/public/browser/content_browser_client.h"
 #include "content/public/browser/render_process_host_observer.h"
 #include "content/public/browser/render_widget_host_iterator.h"
@@ -811,6 +812,24 @@ RenderFrameHostImpl* RenderFrameHostManager::GetFrameHostForNavigation(
     no_renderer_swap |= !CanSubframeSwapProcess(
         request.common_params().url, request.source_site_instance(),
         request.dest_site_instance(), was_server_redirect);
+
+    // Even if the url should warrant a process swap, check if the newly created
+    // SiteInstance would use the same storage partition as its parent. If

[nasko, 2017/03/03 23:04:23]

nit: StoragePartition

[arthursonzogni, 2017/03/06 15:10:13]

Done.

+    // that's not the case, the subframe should not swap processes, as there is
+    // not support for having an OOPIF that does not share the storage partition
+    // of its parent.

[nasko, 2017/03/03 23:04:23]

That seems like a good property to enforce long term, but I'm a bit weary of
introducing it as part of this patch, as it will be hard to discover.

[arthursonzogni, 2017/03/06 15:10:13]

I moved it to:
https://codereview.chromium.org/2732883003

+    BrowserContext* browser_context =
+        frame_tree_node_->navigator()->GetController()->GetBrowserContext();
+    bool share_parent_storage_partition =
+        BrowserContext::GetStoragePartition(browser_context,
+                                            dest_site_instance.get()) ==
+        BrowserContext::GetStoragePartition(browser_context,
+                                            frame_tree_node_->parent()
+                                                ->current_frame_host()
+                                                ->GetSiteInstance());
+    no_renderer_swap |=
+        (!SiteIsolationPolicy::UseDedicatedProcessesForAllSites() &&

[nasko, 2017/03/03 23:04:23]

Why check for UseDedicatedProcessesForAllSites? If we want to uniformly enforce
that no frame in the same WebContents uses a different StoragePartition, then
UseDedicatedProcessesForAllSites shouldn't factor in that decision.

[arthursonzogni, 2017/03/06 15:10:13]

I checked with Camille. It was because what is written in
SiteDetailsBrowserTest.PlatformAppsNotIsolated about --isolate-extensions. This
comment is no more valid since Chrome no longer allow external web content
inside sandboxed page in Platform Apps V2.
I removed it in https://codereview.chromium.org/2732883003

Not using a different process when UseDedicatedProcessesForAllSites is true is a
little bit weird though.

+         !share_parent_storage_partition);
   }
 
   if (no_renderer_swap) {