Introduce support for origins that require process isolation.

content/browser/site_instance_impl.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CONTENT_BROWSER_SITE_INSTANCE_IMPL_H_
 #define CONTENT_BROWSER_SITE_INSTANCE_IMPL_H_
 
 #include <stddef.h>
 #include <stdint.h>
 
 #include "base/macros.h"
 #include "base/observer_list.h"
 #include "content/browser/renderer_host/render_process_host_impl.h"
 #include "content/common/content_export.h"
 #include "content/public/browser/render_process_host_observer.h"
 #include "content/public/browser/site_instance.h"

[Charlie Reis, 2017/05/05 23:18:51]

I wonder if we should update the comments at the top of site_instance.h to talk
about the fact that we can now track origins as well as sites.

I think it's worth mentioning, but I suppose it's not part of the public API
yet.  I imagine we'll need to make AddIsolatedOrigin public at some point for
the features that plan to use it, so maybe we can do it then.

[alexmos, 2017/05/16 17:26:37]

Yes, I've considered updating those and came to the same conclusion.  I agree we
can update the comments once we expose isolated origins from the public API.

 #include "url/gurl.h"
 
 namespace content {
 class BrowsingInstance;
 class RenderProcessHostFactory;
 
 class CONTENT_EXPORT SiteInstanceImpl final : public SiteInstance,
                                               public RenderProcessHostObserver {
  public:
   class CONTENT_EXPORT Observer {
@@ skipping 90 matching lines @@
   static GURL GetEffectiveURL(BrowserContext* browser_context,
                               const GURL& url);
 
   // Returns true if pages loaded from |url| ought to be handled only by a
   // renderer process isolated from other sites. If --site-per-process is on the
   // command line, this is true for all sites. In other site isolation modes,
   // only a subset of sites will require dedicated processes.
   static bool DoesSiteRequireDedicatedProcess(BrowserContext* browser_context,
                                               const GURL& url);
 
+  // Add an origin to the list of origins that require process isolation.
+  // When making process model decisions for such origins, the full
+  // scheme+host+port tuple rather than eTLD+1 will be used.  SiteInstances for

[Charlie Reis, 2017/05/05 23:18:51]

Maybe clarify that the default is scheme + eTLD+1?

[alexmos, 2017/05/16 17:26:38]

Yes, thanks, I was sloppy there.  Updated here and in a couple of other places.

+  // these origins will also use the full origin as site URL.

[Charlie Reis, 2017/05/05 23:18:51]

This is the first use of url::Origin in this class.  Should we clarify some of
the potential gotchas?  A few that come to mind:
 - Can't use unique origins here (e.g., data)
 - What happens to a sandboxed iframe with this origin (but whose url::Origin is
unique)?
 - Presumably about:blank pages within a url::Origin go into that process?

There's probably more...  :)

[alexmos, 2017/05/16 17:26:38]

Yes, good idea.  This moved to ChildProcessSecurityPolicy, but I added some
comments along those lines there.

+  static void AddIsolatedOrigin(const url::Origin& origin);
+
+  // Register a set of isolated origins as specified on the command line with
+  // the --isolate-origins flag.  |origin_list| is the flag's value, which
+  // contains the list of comma-separated scheme-host-port origins. See
+  // AddIsolatedOrigin for definition of an isolated origin.
+  static void AddIsolatedOriginsFromCommandLine(const std::string& origin_list);
+
+  // Helper to check whether an origin requires origin-wide process isolation.
+  static bool IsIsolatedOrigin(const url::Origin& origin);
+
  private:
   friend class BrowsingInstance;
   friend class SiteInstanceTestBrowserClient;
+  FRIEND_TEST_ALL_PREFIXES(SiteInstanceTest, IsolateOriginsFromCommandLine);
 
   // Create a new SiteInstance.  Only BrowsingInstance should call this
   // directly; clients should use Create() or GetRelatedSiteInstance() instead.
   explicit SiteInstanceImpl(BrowsingInstance* browsing_instance);
 
   ~SiteInstanceImpl() override;
 
   // RenderProcessHostObserver implementation.
   void RenderProcessHostDestroyed(RenderProcessHost* host) override;
   void RenderProcessWillExit(RenderProcessHost* host) override;
   void RenderProcessExited(RenderProcessHost* host,
                            base::TerminationStatus status,
                            int exit_code) override;
 
   // Used to restrict a process' origin access rights.
   void LockToOrigin();
 
   // This gets the render process to use for default subframe site instances.
   RenderProcessHost* GetDefaultSubframeProcessHost(
       BrowserContext* browser_context,
       bool is_for_guests_only);
 
   void set_is_default_subframe_site_instance() {
     is_default_subframe_site_instance_ = true;
   }
 
+  // Tracks origins for which the entire origin should be treated as a site
+  // when making process model decisions, rather than the origin's eTLD+1. Each

[Charlie Reis, 2017/05/05 23:18:51]

Same nit about previous definition of site.

[alexmos, 2017/05/16 17:26:38]

Done.

+  // of these origins requires a dedicated process.
+  using IsolatedOriginSet = std::set<url::Origin>;
+  static IsolatedOriginSet* GetIsolatedOrigins();
+
   // An object used to construct RenderProcessHosts.
   static const RenderProcessHostFactory* g_render_process_host_factory_;
 
   // The next available SiteInstance ID.
   static int32_t next_site_instance_id_;
 
   // A unique ID for this SiteInstance.
   int32_t id_;
 
   // The number of active frames in this SiteInstance.
@@ skipping 20 matching lines @@
   bool is_default_subframe_site_instance_;
 
   base::ObserverList<Observer, true> observers_;
 
   DISALLOW_COPY_AND_ASSIGN(SiteInstanceImpl);
 };
 
 }  // namespace content
 
 #endif  // CONTENT_BROWSER_SITE_INSTANCE_IMPL_H_