Introduce support for origins that require process isolation.

content/browser/site_instance_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/site_instance_impl.h"
 
+#include "base/macros.h"
 #include "base/memory/ptr_util.h"
 #include "content/browser/browsing_instance.h"
 #include "content/browser/child_process_security_policy_impl.h"
 #include "content/browser/frame_host/debug_urls.h"
 #include "content/browser/frame_host/frame_tree_node.h"
 #include "content/browser/renderer_host/render_process_host_impl.h"
 #include "content/browser/storage_partition_impl.h"
 #include "content/common/site_isolation_policy.h"
 #include "content/public/browser/content_browser_client.h"
 #include "content/public/browser/render_process_host_factory.h"
@@ skipping 284 matching lines @@
   // If either URL is invalid, they aren't part of the same site.
   if (!src_url.is_valid() || !dest_url.is_valid())
     return false;
 
   // If the destination url is just a blank page, we treat them as part of the
   // same site.
   GURL blank_page(url::kAboutBlankURL);
   if (dest_url == blank_page)
     return true;
 
+  // If either URL has an isolated origin, compare origins rather than sites.
+  // This must be done before the GetEffectiveURL resolution, as isolated

[Charlie Reis, 2017/05/19 00:10:19]

nit: We're not doing it before the GetEffectiveURL calls, and there's a few
additional checks before this as well.  I think that might be ok, and we should
just rephrase the comment (s/before/on the full URLs without/)?

[alexmos, 2017/05/24 00:28:33]

This no longer applies now that I've modified GetEffectiveURL itself to be aware
of isolated origins and removed the comment.

+  // origins take precedence over hosted apps.
+  url::Origin src_origin(real_src_url);
+  url::Origin dest_origin(real_dest_url);
+  auto* policy = ChildProcessSecurityPolicyImpl::GetInstance();
+  if (policy->IsIsolatedOrigin(src_origin) ||
+      policy->IsIsolatedOrigin(dest_origin))
+    return src_origin == dest_origin;
+
   // If the schemes differ, they aren't part of the same site.
+  //
+  // Note that this happens after the isolated origin check, since blob or
+  // filesystem URLs will fail this check even though they might have the
+  // same origin.
   if (src_url.scheme() != dest_url.scheme())
     return false;
 
   return net::registry_controlled_domains::SameDomainOrHost(
       src_url,
       dest_url,
       net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES);
 }
 
 // static
 GURL SiteInstance::GetSiteForURL(BrowserContext* browser_context,
                                  const GURL& real_url) {
   // TODO(fsamuel, creis): For some reason appID is not recognized as a host.
   if (real_url.SchemeIs(kGuestScheme))
     return real_url;
 
+  // Isolated origins should use the full origin as their site URL. This is
+  // intentionally checked before resolving the URL with GetEffectiveURL, as
+  // isolated origins must take precedence over hosted apps.
+  auto* policy = ChildProcessSecurityPolicyImpl::GetInstance();
+  url::Origin real_origin(real_url);
+  if (policy->IsIsolatedOrigin(real_origin))
+    return real_origin.GetURL();
+
   GURL url = SiteInstanceImpl::GetEffectiveURL(browser_context, real_url);
   url::Origin origin(url);
 
   // If the url has a host, then determine the site.
   if (!origin.host().empty()) {
     // Only keep the scheme and registered domain of |origin|.
     std::string domain = net::registry_controlled_domains::GetDomainAndRegistry(
         origin.host(),
         net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES);
     std::string site = origin.scheme();
@@ skipping 20 matching lines @@
 }
 
 // static
 bool SiteInstanceImpl::DoesSiteRequireDedicatedProcess(
     BrowserContext* browser_context,
     const GURL& url) {
   // If --site-per-process is enabled, site isolation is enabled everywhere.
   if (SiteIsolationPolicy::UseDedicatedProcessesForAllSites())
     return true;
 
+  // For now, always require a dedicated process for isolated origins.
+  // TODO(alexmos): revisit this for Isolate-Me.

[Charlie Reis, 2017/05/19 00:10:19]

I may just be forgetting, but why would an Isolate-Me origin not require a
dedicated process?

[alexmos, 2017/05/24 00:28:33]

I was just thinking about the discussion that isolate-me is more of a hint for
the process model rather than a requirement, and that if too many sites use
isolate-me, we might not be able to guarantee a dedicated process for each one,
unless we totally remove the process limit.  Or would that be done through a
separate process reuse policy, and we'll still treat isolate-me origins as
requiring dedicated processes?

[Charlie Reis, 2017/05/25 01:54:37]

I see.  Yeah, I think there's some flexibility in how we implement it.  I was
kind of imagining that we wouldn't put the origin on the list of isolated
origins if we decide we can't honor the request, but I like the idea of using a
process reuse policy instead to just let them share with each other if
necessary.

[alexmos, 2017/05/25 16:58:49]

Yes - I removed the comment given that this place may not be affected at all for
isolate-me if we do things through process reuse policy.  It's probably better
to figure things out once we start implementing isolate-me than to add this
comment now and have it become stale later on.

+  GURL site_url = GetSiteForURL(browser_context, url);
+  auto* policy = ChildProcessSecurityPolicyImpl::GetInstance();
+  if (policy->IsIsolatedOrigin(url::Origin(site_url)))
+    return true;
+
   // Let the content embedder enable site isolation for specific URLs. Use the
   // canonical site url for this check, so that schemes with nested origins
   // (blob and filesystem) work properly.
-  GURL site_url = GetSiteForURL(browser_context, url);
   if (GetContentClient()->IsSupplementarySiteIsolationModeEnabled() &&
       GetContentClient()->browser()->DoesSiteRequireDedicatedProcess(
           browser_context, site_url)) {
     return true;
   }
 
   return false;
 }
 
 void SiteInstanceImpl::RenderProcessHostDestroyed(RenderProcessHost* host) {
@@ skipping 44 matching lines @@
             browsing_instance_->browser_context(), site_))
       return;
 
     ChildProcessSecurityPolicyImpl* policy =
         ChildProcessSecurityPolicyImpl::GetInstance();
     policy->LockToOrigin(process_->GetID(), site_);
   }
 }
 
 }  // namespace content