Introduce support for origins that require process isolation.

content/browser/site_instance_impl.cc

Index: content/browser/site_instance_impl.cc
diff --git a/content/browser/site_instance_impl.cc b/content/browser/site_instance_impl.cc
index a4c886260e008f39fc30ab153d898df9fd09f2d0..ec7b61087048f684fde87c6ed7f4febe715b3aff 100644
--- a/content/browser/site_instance_impl.cc
+++ b/content/browser/site_instance_impl.cc
@@ -4,6 +4,7 @@
 
 #include "content/browser/site_instance_impl.h"
 
+#include "base/macros.h"
 #include "content/browser/browsing_instance.h"
 #include "content/browser/child_process_security_policy_impl.h"
 #include "content/browser/frame_host/debug_urls.h"
@@ -403,7 +404,18 @@ bool SiteInstance::IsSameWebSite(BrowserContext* browser_context,
   if (dest_url == blank_page)
     return true;
 
+  // If either URL has an isolated origin, compare origins rather than sites.
+  url::Origin src_origin(src_url);
+  url::Origin dest_origin(dest_url);
+  if (SiteInstanceImpl::IsIsolatedOrigin(src_origin) ||
+      SiteInstanceImpl::IsIsolatedOrigin(dest_origin))
+    return src_origin == dest_origin;
+
   // If the schemes differ, they aren't part of the same site.
+  //
+  // Note that this happens after the isolated origin check, since blob or
+  // filesystem URLs will fail this check even though they might have the
+  // same origin.

[alexmos, 2017/05/03 23:31:08]

I discovered this when writing SiteInstanceTest.IsolatedOrigins (I initially had
my check after the scheme check).  I don't know if it's a problem in practice
though, and for the regular cases as well: http://foo.com and
blob:http://foo.com/{id} won't be considered same-site here, but I'll need to
reason through what this might affect.  At least this seems like it should fail
closed, e.g., cause an unnecessary process transfer.

   if (src_url.scheme() != dest_url.scheme())
     return false;
 
@@ -421,7 +433,11 @@ GURL SiteInstance::GetSiteForURL(BrowserContext* browser_context,
     return real_url;
 
   GURL url = SiteInstanceImpl::GetEffectiveURL(browser_context, real_url);
+
+  // Isolated origins should use the full origin as their site URL.
   url::Origin origin(url);
+  if (SiteInstanceImpl::IsIsolatedOrigin(origin))
+    return origin.GetURL();
 
   // If the url has a host, then determine the site.
   if (!origin.host().empty()) {
@@ -460,10 +476,15 @@ bool SiteInstanceImpl::DoesSiteRequireDedicatedProcess(
   if (SiteIsolationPolicy::UseDedicatedProcessesForAllSites())
     return true;
 
+  // For now, always require a dedicated process for isolated origins.
+  // TODO(alexmos): revisit this for Isolate-Me.
+  GURL site_url = GetSiteForURL(browser_context, url);
+  if (IsIsolatedOrigin(url::Origin(site_url)))
+    return true;
+
   // Let the content embedder enable site isolation for specific URLs. Use the
   // canonical site url for this check, so that schemes with nested origins
   // (blob and filesystem) work properly.
-  GURL site_url = GetSiteForURL(browser_context, url);
   if (GetContentClient()->IsSupplementarySiteIsolationModeEnabled() &&
       GetContentClient()->browser()->DoesSiteRequireDedicatedProcess(
           browser_context, site_url)) {
@@ -473,6 +494,36 @@ bool SiteInstanceImpl::DoesSiteRequireDedicatedProcess(
   return false;
 }
 
+// static
+void SiteInstanceImpl::AddIsolatedOrigin(const url::Origin& origin) {
+  DCHECK(!origin.unique());
+  DCHECK(!IsIsolatedOrigin(origin));
+
+  GetIsolatedOrigins()->insert(origin);
+}
+
+void SiteInstanceImpl::AddIsolatedOriginsFromCommandLine(
+    const std::string& origin_list) {
+  for (const base::StringPiece& origin_piece :
+       base::SplitStringPiece(origin_list, ",", base::TRIM_WHITESPACE,
+                              base::SPLIT_WANT_NONEMPTY)) {
+    url::Origin origin((GURL(origin_piece)));
+    if (!origin.unique())
+      SiteInstanceImpl::AddIsolatedOrigin(origin);
+  }
+}
+
+// static
+bool SiteInstanceImpl::IsIsolatedOrigin(const url::Origin& origin) {
+  return GetIsolatedOrigins()->find(origin) != GetIsolatedOrigins()->end();
+}
+
+// static
+SiteInstanceImpl::IsolatedOriginSet* SiteInstanceImpl::GetIsolatedOrigins() {
+  CR_DEFINE_STATIC_LOCAL(IsolatedOriginSet, isolated_origins, ());
+  return &isolated_origins;
+}
+
 void SiteInstanceImpl::RenderProcessHostDestroyed(RenderProcessHost* host) {
   DCHECK_EQ(process_, host);
   process_->RemoveObserver(this);