BASELINE: Update Chromium to 86.0.4240.124

Change-Id: Ide0ff151e94cd665ae6521a446995d34a9d1d644
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 134 insertions, 75 deletions

diff --git a/chromium/content/browser/site_instance_impl.h b/chromium/content/browser/site_instance_impl.h
index 571e6381f24..c829688c4d4 100644
--- a/chromium/content/browser/site_instance_impl.h
+++ b/chromium/content/browser/site_instance_impl.h
@@ -9,7 +9,6 @@
 #include <stdint.h>
 
 #include "base/observer_list.h"
-#include "base/optional.h"
 #include "content/browser/isolation_context.h"
 #include "content/browser/renderer_host/render_process_host_impl.h"
 #include "content/common/content_export.h"
@@ -19,8 +18,11 @@
 #include "url/origin.h"
 
 namespace content {
+class AgentSchedulingGroupHost;
 class BrowsingInstance;
+class ProcessLock;
 class RenderProcessHostFactory;
+class StoragePartitionImpl;
 
 // SiteInfo represents the principal of a SiteInstance. All documents and
 // workers within a SiteInstance are considered part of this principal and will
@@ -50,7 +52,13 @@ class CONTENT_EXPORT SiteInfo {
  public:
   static SiteInfo CreateForErrorPage();
 
-  explicit SiteInfo(const GURL& site_url);
+  // The SiteInfo constructor should take in all values needed for comparing two
+  // SiteInfos, to help ensure all creation sites are updated accordingly when
+  // new values are added. The private function MakeTie() should be updated
+  // accordingly.
+  SiteInfo(const GURL& site_url,
+           const GURL& process_lock_url,
+           bool is_origin_keyed);
   SiteInfo() = default;
 
   // Returns the site URL associated with all of the documents and workers in
@@ -71,18 +79,62 @@ class CONTENT_EXPORT SiteInfo {
   //   the same site_url() but that differ in other properties.
   const GURL& site_url() const { return site_url_; }
 
+  // Returns the URL which should be used in a SetProcessLock call for this
+  // SiteInfo's process.  This is the same as |site_url_| except for cases
+  // involving effective URLs, such as hosted apps.  In those cases, this URL is
+  // a site URL that is computed without the use of effective URLs.
+  //
+  // NOTE: This URL is currently set even in cases where this SiteInstance's
+  //       process is *not* going to be locked to it.  Callers should be careful
+  //       to consider this case when comparing lock URLs; ShouldLockProcess()
+  //       may be used to determine whether the process lock will actually be
+  //       used.
+  //
+  // TODO(alexmos): See if we can clean this up and not set |process_lock_url_|
+  //                if the SiteInstance's process isn't going to be locked.
+  const GURL& process_lock_url() const { return process_lock_url_; }
+
+  // Returns whether this SiteInfo is specific to an origin rather than a site,
+  // such as due to opt-in origin isolation. This resolves an ambiguity of
+  // whether a process with a lock_url() like "https://foo.example" is allowed
+  // to include "https://sub.foo.example" or not. In opt-in isolation, it is
+  // possible for example.com to be isolated, and sub.example.com not be
+  // isolated. In contrast, if command-line isolation is used to isolate
+  // example.com, then sub.example.com is also (automatically) isolated.
+  // Also note that opt-in isolated origins will include ports (if non-default)
+  // in their site urls.
+  bool is_origin_keyed() const { return is_origin_keyed_; }
+
+  // Returns false if the site_url() is empty.
+  bool is_empty() const { return site_url().possibly_invalid_spec().empty(); }
+
   bool operator==(const SiteInfo& other) const;
   bool operator!=(const SiteInfo& other) const;
 
+  // Defined to allow this object to act as a key for std::map and std::set.
+  bool operator<(const SiteInfo& other) const;
+
   // Returns a string representation of this SiteInfo principal.
   std::string GetDebugString() const;
 
  private:
+  static auto MakeTie(const SiteInfo& site_info);
+
   GURL site_url_;
-  // TODO(crbug.com/1067389): Add site vs origin granularity.
+  // The URL to use when locking a process to this SiteInstance's site via
+  // SetProcessLock(). This is the same as |site_url_| except for cases
+  // involving effective URLs, such as hosted apps.  In those cases, this URL is
+  // a site URL that is computed without the use of effective URLs.
+  GURL process_lock_url_;
+  // Indicates whether this SiteInfo is specific to a single origin, rather than
+  // including all subdomains of that origin. Only used for opt-in origin
+  // isolation. In contrast, the site-level URLs that are typically used in
+  // SiteInfo include subdomains, as do command-line isolated origins.
+  bool is_origin_keyed_ = false;
 };
 
-std::ostream& operator<<(std::ostream& out, const SiteInfo& site_info);
+CONTENT_EXPORT std::ostream& operator<<(std::ostream& out,
+                                        const SiteInfo& site_info);
 
 class CONTENT_EXPORT SiteInstanceImpl final : public SiteInstance,
                                               public RenderProcessHostObserver {
@@ -132,12 +184,6 @@ class CONTENT_EXPORT SiteInstanceImpl final : public SiteInstance,
 
   static bool ShouldAssignSiteForURL(const GURL& url);
 
-  // Returns whether |lock_url| is at least at the granularity of a site (i.e.,
-  // a scheme plus eTLD+1, like https://google.com).  Also returns true if the
-  // lock is to a more specific origin (e.g., https://accounts.google.com), but
-  // not if the lock is empty or applies to an entire scheme (e.g., file://).
-  static bool IsOriginLockASite(const GURL& lock_url);
-
   // Return whether both URLs are part of the same web site, for the purpose of
   // assigning them to processes accordingly.  The decision is currently based
   // on the registered domain of the URLs (google.com, bbc.co.uk), as well as
@@ -213,8 +259,9 @@ class CONTENT_EXPORT SiteInstanceImpl final : public SiteInstance,
   // another SiteInstance from the same site.
   bool is_for_service_worker() const { return is_for_service_worker_; }
 
-  // Returns the URL which was used to set the |site_| for this SiteInstance.
-  // May be empty if this SiteInstance does not have a |site_|.
+  // Returns the URL which was used to set the |site_info_| for this
+  // SiteInstance. May be empty if this SiteInstance does not have a
+  // |site_info_|.
   const GURL& original_url() {
     DCHECK(!IsDefaultSiteInstance());
     return original_url_;
@@ -226,20 +273,6 @@ class CONTENT_EXPORT SiteInstanceImpl final : public SiteInstance,
   bool IsOriginalUrlSameSite(const GURL& dest_url,
                              bool should_compare_effective_urls);
 
-  // Returns the URL which should be used in a LockToOrigin call for this
-  // SiteInstance's process.  This is the same as |site_| except for cases
-  // involving effective URLs, such as hosted apps.  In those cases, this URL
-  // is a site URL that is computed without the use of effective URLs.
-  //
-  // NOTE: This URL is currently set even in cases where this SiteInstance's
-  // process is *not* going to be locked to it.  Callers should be careful to
-  // consider this case when comparing lock URLs; ShouldLockToOrigin() may be
-  // used to determine whether the process lock will actually be used.
-  //
-  // TODO(alexmos): See if we can clean this up and not set |lock_url_| if the
-  // SiteInstance's process isn't going to be locked.
-  const GURL& lock_url() { return lock_url_; }
-
   // True if |url| resolves to an effective URL that is different from |url|.
   // See GetEffectiveURL().  This will be true for hosted apps as well as NTP
   // URLs.
@@ -253,6 +286,27 @@ class CONTENT_EXPORT SiteInstanceImpl final : public SiteInstance,
   // GetSiteURL().
   const SiteInfo& GetSiteInfo();
 
+  // Returns a ProcessLock that can be used with SetProcessLock to lock a
+  // process to this SiteInstance's SiteInfo. The ProcessLock relies heavily on
+  // the SiteInfo's process_lock_url() for security decisions.
+  const ProcessLock GetProcessLock() const;
+
+  // Helper function that returns the storage partition domain for this
+  // object.
+  // This is a temporary helper function used to verify that
+  // the partition domain computed using this SiteInstance's site URL matches
+  // the partition domain returned by storage_partition->GetPartitionDomain().
+  // If there is a mismatch, we call DumpWithoutCrashing() and return the value
+  // computed from the site URL since that is the legacy behavior.
+  //
+  // TODO(acolwell) : Remove this function and update callers to directly call
+  // storage_partition->GetPartitionDomain() once we've verified that this is
+  // safe.
+  std::string GetPartitionDomain(StoragePartitionImpl* storage_partition);
+
+  // This function returns a SiteInfo with the appropriate site_url and
+  // process_lock_url computed. This function can only be called on the UI
+  // thread since it expects an effective URL.
   // Note: eventually this function will replace GetSiteForURL().
   static SiteInfo ComputeSiteInfo(const IsolationContext& isolation_context,
                                   const GURL& url);
@@ -273,11 +327,12 @@ class CONTENT_EXPORT SiteInstanceImpl final : public SiteInstance,
   // GetSiteForURL() should be used instead.
   static GURL GetSiteForOrigin(const url::Origin& origin);
 
-  // Returns the URL to which a process should be locked for the given URL.
-  // This is computed similarly to the site URL (see GetSiteForURL), but
-  // without resolving effective URLs.
-  static GURL DetermineProcessLockURL(const IsolationContext& isolation_context,
-                                      const GURL& url);
+  // Similar to above, but also computes a full SiteInfo (including a
+  // process_lock_url) and returns a ProcessLock. If called from the IO thread,
+  // this will return a ProcessLock that doesn't consider effective URLs.
+  static ProcessLock DetermineProcessLock(
+      const IsolationContext& isolation_context,
+      const GURL& url);
 
   // Set the web site that this SiteInstance is rendering pages for.
   // This includes the scheme and registered domain, but not the port.  If the
@@ -296,9 +351,9 @@ class CONTENT_EXPORT SiteInstanceImpl final : public SiteInstance,
   bool HasSite() const;
 
   // Returns whether there is currently a related SiteInstance (registered with
-  // BrowsingInstance) for the site of the given url.  If so, we should try to
-  // avoid dedicating an unused SiteInstance to it (e.g., in a new tab).
-  bool HasRelatedSiteInstance(const GURL& url);
+  // BrowsingInstance) for the given SiteInfo.  If so, we should try to avoid
+  // dedicating an unused SiteInstance to it (e.g., in a new tab).
+  bool HasRelatedSiteInstance(const SiteInfo& site_info);
 
   // Returns whether this SiteInstance is compatible with and can host the given
   // |url|. If not, the browser should force a SiteInstance swap when
@@ -379,23 +434,15 @@ class CONTENT_EXPORT SiteInstanceImpl final : public SiteInstance,
   //
   // Note that this function currently requires passing in a site URL (which
   // may use effective URLs), and not a lock URL to which the process may
-  // eventually be locked via LockToOrigin().  See comments on lock_url() for
-  // more info. |is_guest| should be set to true if the call is being made for
-  // a <webview> guest SiteInstance(i.e. SiteInstance::IsGuest() returns true).
+  // eventually be locked via SetProcessLock().  See comments on SiteInfo's
+  // process_lock_url() for more info. |is_guest| should be set to true if the
+  // call is being made for a <webview> guest SiteInstance(i.e.
+  // SiteInstance::IsGuest() returns true).
   // TODO(alexmos):  See if this can take a lock URL instead.
-  static bool ShouldLockToOrigin(const IsolationContext& isolation_context,
-                                 const GURL& site_url,
-                                 const bool is_guest);
-
-  // Converts |lock_url| into an origin that can be used as
-  // |URLLoaderFactoryParams::request_initiator_site_lock|.
-  // This means that the returned origin can be safely used in a eTLD+1
-  // comparison against |network::ResourceRequest::request_initiator|.
-  //
-  // base::nullopt is returned if |lock_url| cannot be used as a
-  // |request_initiator_site_lock| (e.g. in case of site_url =
-  // chrome-guest://...).
-  static base::Optional<url::Origin> GetRequestInitiatorSiteLock(GURL lock_url);
+  // TODO(wjmaclean): Or see if this can take a SiteInfo or ProcessLock instead.
+  static bool ShouldLockProcess(const IsolationContext& isolation_context,
+                                const GURL& site_url,
+                                const bool is_guest);
 
   // Return an ID of the next BrowsingInstance to be created.  This ID is
   // guaranteed to be higher than any ID of an existing BrowsingInstance.
@@ -416,13 +463,13 @@ class CONTENT_EXPORT SiteInstanceImpl final : public SiteInstance,
   // Returns true if this object was constructed as a default site instance.
   bool IsDefaultSiteInstance() const;
 
-  // Returns true if |site_url| is a site URL that the BrowsingInstance has
+  // Returns true if |site_url| is a site url that the BrowsingInstance has
   // associated with its default SiteInstance.
   bool IsSiteInDefaultSiteInstance(const GURL& site_url) const;
 
-  // Returns true if the the site URL for |url| matches the site URL
-  // for this instance (i.e. GetSiteURL()). Otherwise returns false.
-  bool DoesSiteForURLMatch(const GURL& url);
+  // Returns true if the SiteInfo for |url| matches the SiteInfo for this
+  // instance (i.e. GetSiteInfo()). Otherwise returns false.
+  bool DoesSiteInfoForURLMatch(const GURL& url);
 
   // Adds |origin| as a non-isolated origin within this BrowsingInstance due to
   // an existing instance at the time of opt-in, so that future instances of it
@@ -430,6 +477,13 @@ class CONTENT_EXPORT SiteInstanceImpl final : public SiteInstance,
   void PreventOptInOriginIsolation(
       const url::Origin& previously_visited_origin);
 
+  // Returns the current AgentSchedulingGroupHost this SiteInstance is
+  // associated with. Since the AgentSchedulingGroupHost *must* be assigned (and
+  // cleared) together with the RenderProcessHost, calling this method when no
+  // AgentSchedulingGroupHost is set will trigger the creation of a new
+  // RenderProcessHost (with a new ID).
+  AgentSchedulingGroupHost& GetAgentSchedulingGroup();
+
  private:
   friend class BrowsingInstance;
   friend class SiteInstanceTestBrowserClient;
@@ -447,7 +501,13 @@ class CONTENT_EXPORT SiteInstanceImpl final : public SiteInstance,
                            const ChildProcessTerminationInfo& info) override;
 
   // Used to restrict a process' origin access rights.
-  void LockToOriginIfNeeded();
+  void LockProcessIfNeeded();
+
+  // Returns the URL to which a process should be locked for the given URL.
+  // This is computed similarly to the site URL (see GetSiteForURL), but
+  // without resolving effective URLs.
+  static GURL DetermineProcessLockURL(const IsolationContext& isolation_context,
+                                      const GURL& url);
 
   // If kProcessSharingWithStrictSiteInstances is enabled, this will check
   // whether both a site and a process have been assigned to this SiteInstance,
@@ -456,12 +516,12 @@ class CONTENT_EXPORT SiteInstanceImpl final : public SiteInstance,
   // a dedicated process.
   void MaybeSetBrowsingInstanceDefaultProcess();
 
-  // Sets |site_| and |lock_| with |site_url| and |lock_url| respectively
-  // and registers this object with |browsing_instance_|. SetSite() calls
-  // this method to set the site and lock for a user provided URL. This
-  // method should only be called by code that need to set the site and
-  // lock directly without any "url to site URL" transformation.
-  void SetSiteAndLockInternal(const GURL& site_url, const GURL& lock_url);
+  // Sets |site_info_| with |site_info| and registers this object with
+  // |browsing_instance_|. SetSite() calls this method to set the site and lock
+  // for a user provided URL. This method should only be called by code that
+  // need to set the site and lock directly without any "url to site URL"
+  // transformation.
+  void SetSiteInfoInternal(const SiteInfo& site_info);
 
   // Helper method to set the process of this SiteInstance, only in cases
   // where it is safe. It is not generally safe to change the process of a
@@ -498,7 +558,7 @@ class CONTENT_EXPORT SiteInstanceImpl final : public SiteInstance,
   // where the caller only has |url| it can use
   // SiteInstanceImpl::GetSiteForURL() to generate |site_url|. This call is
   // intentionally not set as a default value to encourage the caller to reuse
-  // a site URL computation if they already have one.
+  // a site url computation if they already have one.
   static bool CanBePlacedInDefaultSiteInstance(
       const IsolationContext& isolation_context,
       const GURL& url,
@@ -519,11 +579,16 @@ class CONTENT_EXPORT SiteInstanceImpl final : public SiteInstance,
   // BrowsingInstance to which this SiteInstance belongs.
   scoped_refptr<BrowsingInstance> browsing_instance_;
 
-  // Current RenderProcessHost that is rendering pages for this SiteInstance.
-  // This pointer will only change once the RenderProcessHost is destructed.  It
-  // will still remain the same even if the process crashes, since in that
-  // scenario the RenderProcessHost remains the same.
+  // Current RenderProcessHost that is rendering pages for this SiteInstance,
+  // and AgentSchedulingGroupHost (within the process) this SiteInstance belongs
+  // to. Since AgentSchedulingGroupHost is associated with a specific
+  // RenderProcessHost, these *must be* changed together to avoid UAF!
+  // The |process_| pointer (and hence the |agent_scheduling_group_| pointer as
+  // well) will only change once the RenderProcessHost is destructed. They will
+  // still remain the same even if the process crashes, since in that scenario
+  // the RenderProcessHost remains the same.
   RenderProcessHost* process_;
+  AgentSchedulingGroupHost* agent_scheduling_group_;
 
   // Describes the desired behavior when GetProcess() method needs to find a new
   // process to associate with the current SiteInstanceImpl.  If |false|, then
@@ -531,21 +596,15 @@ class CONTENT_EXPORT SiteInstanceImpl final : public SiteInstance,
   // |process_|.
   bool can_associate_with_spare_process_;
 
-  // The web site that this SiteInstance is rendering pages for.
-  SiteInfo site_;
+  // The SiteInfo that this SiteInstance is rendering pages for.
+  SiteInfo site_info_;
 
   // Whether SetSite has been called.
   bool has_site_;
 
-  // The URL which was used to set the |site_| for this SiteInstance.
+  // The URL which was used to set the |site_info_| for this SiteInstance.
   GURL original_url_;
 
-  // The URL to use when locking a process to this SiteInstance's site via
-  // LockToOrigin().  This is the same as |site_| except for cases involving
-  // effective URLs, such as hosted apps.  In those cases, this URL is a site
-  // URL that is computed without the use of effective URLs.
-  GURL lock_url_;
-
   // The ProcessReusePolicy to use when creating a RenderProcessHost for this
   // SiteInstance.
   ProcessReusePolicy process_reuse_policy_;