diff options
Diffstat (limited to 'chromium/content/browser/site_instance_impl.cc')
| -rw-r--r-- | chromium/content/browser/site_instance_impl.cc | 361 |
1 files changed, 212 insertions, 149 deletions
diff --git a/chromium/content/browser/site_instance_impl.cc b/chromium/content/browser/site_instance_impl.cc index 618f09320ff..53d961daab4 100644 --- a/chromium/content/browser/site_instance_impl.cc +++ b/chromium/content/browser/site_instance_impl.cc @@ -5,9 +5,11 @@ #include "content/browser/site_instance_impl.h" #include <string> +#include <tuple> #include "base/command_line.h" #include "base/debug/crash_logging.h" +#include "base/debug/dump_without_crashing.h" #include "base/lazy_instance.h" #include "base/macros.h" #include "content/browser/bad_message.h" @@ -15,6 +17,7 @@ #include "content/browser/child_process_security_policy_impl.h" #include "content/browser/isolated_origin_util.h" #include "content/browser/isolation_context.h" +#include "content/browser/renderer_host/agent_scheduling_group_host.h" #include "content/browser/renderer_host/render_process_host_impl.h" #include "content/browser/storage_partition_impl.h" #include "content/browser/webui/url_data_manager_backend.h" @@ -56,20 +59,40 @@ const GURL& SiteInstanceImpl::GetDefaultSiteURL() { // static SiteInfo SiteInfo::CreateForErrorPage() { - return SiteInfo(GURL(content::kUnreachableWebDataURL)); + return SiteInfo(GURL(content::kUnreachableWebDataURL), + GURL(content::kUnreachableWebDataURL), + false /* is_origin_keyed */); } -SiteInfo::SiteInfo(const GURL& site_url) : site_url_(site_url) {} +SiteInfo::SiteInfo(const GURL& site_url, + const GURL& process_lock_url, + bool is_origin_keyed) + : site_url_(site_url), + process_lock_url_(process_lock_url), + is_origin_keyed_(is_origin_keyed) {} + +// static +auto SiteInfo::MakeTie(const SiteInfo& site_info) { + return std::tie(site_info.site_url_.possibly_invalid_spec(), + site_info.process_lock_url_.possibly_invalid_spec(), + site_info.is_origin_keyed_); +} bool SiteInfo::operator==(const SiteInfo& other) const { - return site_url_ == other.site_url_; + return MakeTie(*this) == MakeTie(other); } bool SiteInfo::operator!=(const SiteInfo& other) const { - return site_url_ != other.site_url_; + return MakeTie(*this) != MakeTie(other); +} + +bool SiteInfo::operator<(const SiteInfo& other) const { + return MakeTie(*this) < MakeTie(other); } std::string SiteInfo::GetDebugString() const { + // TODO(wjmaclean): At some point we should consider adding output about + // origin- vs. site-keying. return site_url_.possibly_invalid_spec(); } @@ -82,6 +105,7 @@ SiteInstanceImpl::SiteInstanceImpl(BrowsingInstance* browsing_instance) active_frame_count_(0), browsing_instance_(browsing_instance), process_(nullptr), + agent_scheduling_group_(nullptr), can_associate_with_spare_process_(true), has_site_(false), process_reuse_policy_(ProcessReusePolicy::DEFAULT), @@ -181,7 +205,8 @@ scoped_refptr<SiteInstanceImpl> SiteInstanceImpl::CreateForGuest( // Setting site and lock directly without the site URL conversions we // do for user provided URLs. Callers expect GetSiteURL() to return the // value they provide in |guest_site_url|. - site_instance->SetSiteAndLockInternal(guest_site_url, guest_site_url); + site_instance->SetSiteInfoInternal( + SiteInfo(guest_site_url, guest_site_url, false /* is_origin_keyed */)); return site_instance; } @@ -215,11 +240,6 @@ bool SiteInstanceImpl::ShouldAssignSiteForURL(const GURL& url) { return GetContentClient()->browser()->ShouldAssignSiteForURL(url); } -// static -bool SiteInstanceImpl::IsOriginLockASite(const GURL& lock_url) { - return lock_url.has_scheme() && lock_url.has_host(); -} - int32_t SiteInstanceImpl::GetId() { return id_; } @@ -285,9 +305,10 @@ bool SiteInstanceImpl::HasProcess() { // existing process that we would use if GetProcess() were called. BrowserContext* browser_context = browsing_instance_->GetBrowserContext(); if (has_site_ && - RenderProcessHostImpl::ShouldUseProcessPerSite(browser_context, site_) && - RenderProcessHostImpl::GetSoleProcessHostForSite( - GetIsolationContext(), site_, lock_url_, IsGuest())) { + RenderProcessHostImpl::ShouldUseProcessPerSite(browser_context, + site_info_) && + RenderProcessHostImpl::GetSoleProcessHostForSite(GetIsolationContext(), + site_info_, IsGuest())) { return true; } @@ -308,8 +329,8 @@ RenderProcessHost* SiteInstanceImpl::GetProcess() { // Check if the ProcessReusePolicy should be updated. bool should_use_process_per_site = - has_site_ && - RenderProcessHostImpl::ShouldUseProcessPerSite(browser_context, site_); + has_site_ && RenderProcessHostImpl::ShouldUseProcessPerSite( + browser_context, site_info_); if (should_use_process_per_site) { process_reuse_policy_ = ProcessReusePolicy::PROCESS_PER_SITE; } else if (process_reuse_policy_ == ProcessReusePolicy::PROCESS_PER_SITE) { @@ -324,6 +345,21 @@ RenderProcessHost* SiteInstanceImpl::GetProcess() { return process_; } +AgentSchedulingGroupHost& SiteInstanceImpl::GetAgentSchedulingGroup() { + if (!agent_scheduling_group_) { + // If an AgentSchedulingGroup has not yet been assigned, we need to have it + // assigned (along with a RenderProcessHost). To preserve the invariant that + // |process_| and |agent_scheduling_group_| are always changed together, we + // call GetProcess(), and assume that it will set both members. + GetProcess(); + } + + DCHECK(agent_scheduling_group_); + DCHECK_EQ(agent_scheduling_group_->GetProcess(), process_); + + return *agent_scheduling_group_; +} + void SiteInstanceImpl::ReuseCurrentProcessIfPossible( RenderProcessHost* current_process) { DCHECK(!IsGuest()); @@ -337,7 +373,7 @@ void SiteInstanceImpl::ReuseCurrentProcessIfPossible( // process is used for a process-per-site site, it is ok to reuse this for the // new page (regardless of the site). if (HasSite() && RenderProcessHostImpl::ShouldUseProcessPerSite( - browsing_instance_->GetBrowserContext(), site_)) { + browsing_instance_->GetBrowserContext(), site_info_)) { return; } @@ -346,10 +382,12 @@ void SiteInstanceImpl::ReuseCurrentProcessIfPossible( // different from this SiteInstance's site. if (!current_process->MayReuseHost() || !RenderProcessHostImpl::IsSuitableHost( - current_process, GetIsolationContext(), site_.site_url(), lock_url(), - IsGuest())) { + current_process, GetIsolationContext(), site_info_, IsGuest())) { return; } + + // TODO(crbug.com/1055779 ): Don't try to reuse process if either of the + // SiteInstances are cross-origin isolated (uses COOP/COEP). SetProcessInternal(current_process); } @@ -362,6 +400,8 @@ void SiteInstanceImpl::SetProcessInternal(RenderProcessHost* process) { CHECK(process); process_ = process; process_->AddObserver(this); + DCHECK(!agent_scheduling_group_); + agent_scheduling_group_ = AgentSchedulingGroupHost::Get(*this, *process_); MaybeSetBrowsingInstanceDefaultProcess(); @@ -378,7 +418,7 @@ void SiteInstanceImpl::SetProcessInternal(RenderProcessHost* process) { GetContentClient()->browser()->SiteInstanceGotProcess(this); if (has_site_) - LockToOriginIfNeeded(); + LockProcessIfNeeded(); } bool SiteInstanceImpl::CanAssociateWithSpareProcess() { @@ -402,41 +442,29 @@ void SiteInstanceImpl::SetSite(const GURL& url) { DCHECK(!has_site_); original_url_ = url; - - // Convert |url| into appropriate site and lock URLs that can be passed to - // SetSiteAndLockInternal(). We must do this transformation for any arbitrary + // Convert |url| into an appropriate SiteInfo that can be passed to + // SetSiteInfoInternal(). We must do this transformation for any arbitrary // URL we get from a user, a navigation, or script. - GURL site_url; - GURL lock_url; - browsing_instance_->GetSiteAndLockForURL( - url, /* allow_default_instance */ false, &site_url, &lock_url); - - SetSiteAndLockInternal(site_url, lock_url); + SetSiteInfoInternal(browsing_instance_->GetSiteInfoForURL( + url, /* allow_default_instance */ false)); } -void SiteInstanceImpl::SetSiteAndLockInternal(const GURL& site_url, - const GURL& lock_url) { +void SiteInstanceImpl::SetSiteInfoInternal(const SiteInfo& site_info) { // TODO(acolwell): Add logic to validate |site_url| and |lock_url| are valid. DCHECK(!has_site_); // Remember that this SiteInstance has been used to load a URL, even if the // URL is invalid. has_site_ = true; - site_ = SiteInfo(site_url); - lock_url_ = lock_url; - - // Check if |site_url| corresponds to an opt-in isolated origin, and if so, - // track this origin in the current BrowsingInstance. This is needed to - // consistently isolate future navigations to this origin in this - // BrowsingInstance, even if its opt-in status changes later. - ChildProcessSecurityPolicyImpl* policy = - ChildProcessSecurityPolicyImpl::GetInstance(); - url::Origin site_origin(url::Origin::Create(site_url)); - // At this point, this should be a simple lookup on the master list, since - // this SiteInstance is new to the BrowsingInstance. - bool isolated = policy->ShouldOriginGetOptInIsolation( - browsing_instance_->isolation_context(), site_origin); - if (isolated) { + site_info_ = site_info; + + if (site_info_.is_origin_keyed()) { + // Track this origin's isolation in the current BrowsingInstance. This is + // needed to consistently isolate future navigations to this origin in this + // BrowsingInstance, even if its opt-in status changes later. + ChildProcessSecurityPolicyImpl* policy = + ChildProcessSecurityPolicyImpl::GetInstance(); + url::Origin site_origin(url::Origin::Create(site_info_.site_url())); policy->AddOptInIsolatedOriginForBrowsingInstance( browsing_instance_->isolation_context(), site_origin); } @@ -450,13 +478,14 @@ void SiteInstanceImpl::SetSiteAndLockInternal(const GURL& site_url, // Update the process reuse policy based on the site. BrowserContext* browser_context = browsing_instance_->GetBrowserContext(); bool should_use_process_per_site = - RenderProcessHostImpl::ShouldUseProcessPerSite(browser_context, site_); + RenderProcessHostImpl::ShouldUseProcessPerSite(browser_context, + site_info_); if (should_use_process_per_site) { process_reuse_policy_ = ProcessReusePolicy::PROCESS_PER_SITE; } if (process_) { - LockToOriginIfNeeded(); + LockProcessIfNeeded(); // Ensure the process is registered for this site if necessary. if (should_use_process_per_site) @@ -476,19 +505,23 @@ void SiteInstanceImpl::ConvertToDefaultOrSetSite(const GURL& url) { } const GURL& SiteInstanceImpl::GetSiteURL() { - return site_.site_url(); + return site_info_.site_url(); } const SiteInfo& SiteInstanceImpl::GetSiteInfo() { - return site_; + return site_info_; +} + +const ProcessLock SiteInstanceImpl::GetProcessLock() const { + return ProcessLock(site_info_); } bool SiteInstanceImpl::HasSite() const { return has_site_; } -bool SiteInstanceImpl::HasRelatedSiteInstance(const GURL& url) { - return browsing_instance_->HasSiteInstance(url); +bool SiteInstanceImpl::HasRelatedSiteInstance(const SiteInfo& site_info) { + return browsing_instance_->HasSiteInstance(site_info); } scoped_refptr<SiteInstance> SiteInstanceImpl::GetRelatedSiteInstance( @@ -517,24 +550,21 @@ bool SiteInstanceImpl::IsSuitableForURL(const GURL& url) { // pages, which should not commit successful navigations. This check avoids a // process transfer for browser-initiated navigations to about:blank in a // dedicated process; without it, IsSuitableHost would consider this process - // unsuitable for about:blank when it compares origin locks. + // unsuitable for about:blank when it compares process locks. // Renderer-initiated navigations will handle about:blank navigations // elsewhere and leave them in the source SiteInstance, along with // about:srcdoc and data:. - if (url.IsAboutBlank() && site_ != SiteInfo::CreateForErrorPage()) + if (url.IsAboutBlank() && site_info_ != SiteInfo::CreateForErrorPage()) return true; // If the site URL is an extension (e.g., for hosted apps or WebUI) but the // process is not (or vice versa), make sure we notice and fix it. - GURL site_url; - GURL origin_lock; // Note: This call must return information that is identical to what // would be reported in the SiteInstance returned by // GetRelatedSiteInstance(url). - browsing_instance_->GetSiteAndLockForURL( - url, /* allow_default_instance */ true, &site_url, &origin_lock); - SiteInfo site_info(site_url); + SiteInfo site_info = browsing_instance_->GetSiteInfoForURL( + url, /* allow_default_instance */ true); // If this is a default SiteInstance and the BrowsingInstance gives us a // non-default site URL even when we explicitly allow the default SiteInstance @@ -547,7 +577,7 @@ bool SiteInstanceImpl::IsSuitableForURL(const GURL& url) { // frame is a site that should be in the default SiteInstance and the // SiteInstance associated with that frame is initially a SiteInstance with // no site URL set. - if (IsDefaultSiteInstance() && site_info != site_) + if (IsDefaultSiteInstance() && site_info != site_info_) return false; // Note that HasProcess() may return true if process_ is null, in @@ -563,14 +593,15 @@ bool SiteInstanceImpl::IsSuitableForURL(const GURL& url) { // If there is no process but there is a site, then the process must have // been discarded after we navigated away. If the site URLs match, then it // is safe to use this SiteInstance. - if (site_ == site_info) + if (site_info_ == site_info) return true; // If the site URLs do not match, but neither this SiteInstance nor the // destination site_url require dedicated processes, then it is safe to use // this SiteInstance. if (!RequiresDedicatedProcess() && - !DoesSiteURLRequireDedicatedProcess(GetIsolationContext(), site_url)) { + !DoesSiteURLRequireDedicatedProcess(GetIsolationContext(), + site_info.site_url())) { return true; } @@ -581,7 +612,7 @@ bool SiteInstanceImpl::IsSuitableForURL(const GURL& url) { } return RenderProcessHostImpl::IsSuitableHost( - GetProcess(), GetIsolationContext(), site_url, origin_lock, IsGuest()); + GetProcess(), GetIsolationContext(), site_info, IsGuest()); } bool SiteInstanceImpl::RequiresDedicatedProcess() { @@ -590,7 +621,7 @@ bool SiteInstanceImpl::RequiresDedicatedProcess() { return false; return DoesSiteURLRequireDedicatedProcess(GetIsolationContext(), - site_.site_url()); + site_info_.site_url()); } void SiteInstanceImpl::IncrementActiveFrameCount() { @@ -665,16 +696,17 @@ bool SiteInstanceImpl::IsSameSiteWithURL(const GURL& url) { // TODO(acolwell): Remove HasSiteInstance() call once we have a way to // prevent SiteInstances with no site URL from being used for URLs // that should be routed to the default SiteInstance. - DCHECK_EQ(site_.site_url(), GetDefaultSiteURL()); - return site_.site_url() == + DCHECK_EQ(site_info_.site_url(), GetDefaultSiteURL()); + return site_info_.site_url() == GetSiteForURLInternal(GetIsolationContext(), url, true /* should_use_effective_urls */, true /* allow_default_site_url */) && - !browsing_instance_->HasSiteInstance(url); + !browsing_instance_->HasSiteInstance( + ComputeSiteInfo(GetIsolationContext(), url)); } - return SiteInstanceImpl::IsSameSite(GetIsolationContext(), site_.site_url(), - url, + return SiteInstanceImpl::IsSameSite(GetIsolationContext(), + site_info_.site_url(), url, true /* should_compare_effective_urls */); } @@ -682,6 +714,42 @@ bool SiteInstanceImpl::IsGuest() { return is_guest_; } +std::string SiteInstanceImpl::GetPartitionDomain( + StoragePartitionImpl* storage_partition) { + auto storage_partition_config = + GetContentClient()->browser()->GetStoragePartitionConfigForSite( + GetBrowserContext(), GetSiteURL()); + + // The DCHECK here is to allow the trybots to detect any attempt to introduce + // new code that violates this assumption. + DCHECK_EQ(storage_partition->GetPartitionDomain(), + storage_partition_config.partition_domain()); + + if (storage_partition->GetPartitionDomain() != + storage_partition_config.partition_domain()) { + // Trigger crash logging if we encounter a case that violates our + // assumptions. + static auto* storage_partition_domain_key = + base::debug::AllocateCrashKeyString("storage_partition_domain", + base::debug::CrashKeySize::Size256); + static auto* storage_partition_config_domain_key = + base::debug::AllocateCrashKeyString( + "storage_partition_config_domain_key", + base::debug::CrashKeySize::Size256); + base::debug::SetCrashKeyString(storage_partition_domain_key, + storage_partition->GetPartitionDomain()); + base::debug::SetCrashKeyString(storage_partition_config_domain_key, + storage_partition_config.partition_domain()); + + base::debug::DumpWithoutCrashing(); + + // Return the value from the config to preserve legacy behavior until we + // can land a fix. + return storage_partition_config.partition_domain(); + } + return storage_partition->GetPartitionDomain(); +} + bool SiteInstanceImpl::IsOriginalUrlSameSite( const GURL& dest_url, bool should_compare_effective_urls) { @@ -777,13 +845,23 @@ bool SiteInstanceImpl::IsSameSite(const IsolationContext& isolation_context, return true; } -bool SiteInstanceImpl::DoesSiteForURLMatch(const GURL& url) { +bool SiteInstanceImpl::DoesSiteInfoForURLMatch(const GURL& url) { + auto* policy = ChildProcessSecurityPolicyImpl::GetInstance(); + bool is_origin_keyed = policy->ShouldOriginGetOptInIsolation( + GetIsolationContext(), url::Origin::Create(url)); + // Note: The |allow_default_site_url| value used here MUST match the value - // used in CreateForURL(). - return site_.site_url() == - GetSiteForURLInternal(GetIsolationContext(), url, - true /* should_use_effective_urls */, - true /* allow_default_site_url */); + // used in CreateForURL(). This is why we can't use ComputeSiteInfo() or + // even DetermineProcessLockURL() here, which do not allow the default site + // URL. + return site_info_ == + SiteInfo(GetSiteForURLInternal(GetIsolationContext(), url, + true /* should_use_effective_urls */, + true /* allow_default_site_url */), + GetSiteForURLInternal(GetIsolationContext(), url, + false /* should_use_effective_urls */, + true /* allow_default_site_url */), + is_origin_keyed); } void SiteInstanceImpl::PreventOptInOriginIsolation( @@ -809,20 +887,46 @@ GURL SiteInstance::GetSiteForURL(BrowserContext* browser_context, // where needed. Eventually, GetSiteForURL should always require an // IsolationContext to be passed in, and this implementation should just // become SiteInstanceImpl::GetSiteForURL. - return SiteInstanceImpl::ComputeSiteInfo(IsolationContext(browser_context), - url) - .site_url(); + return SiteInstanceImpl::GetSiteForURL(IsolationContext(browser_context), + url); } SiteInfo SiteInstanceImpl::ComputeSiteInfo( const IsolationContext& isolation_context, const GURL& url) { - // This function will expand as more information, such as site-/origin-keying, - // are included in SiteInfo. - return SiteInfo(GetSiteForURL(isolation_context, url)); + // The call to GetSiteForURL() below is only allowed on the UI thread, due to + // its possible use of effective urls. + DCHECK_CURRENTLY_ON(BrowserThread::UI); + // This function will expand as more information is included in SiteInfo. + bool is_origin_keyed = ChildProcessSecurityPolicyImpl::GetInstance() + ->ShouldOriginGetOptInIsolation( + isolation_context, url::Origin::Create(url)); + + return SiteInfo(GetSiteForURL(isolation_context, url), + DetermineProcessLockURL(isolation_context, url), + is_origin_keyed); } // static +ProcessLock SiteInstanceImpl::DetermineProcessLock( + const IsolationContext& isolation_context, + const GURL& url) { + if (BrowserThread::CurrentlyOn(BrowserThread::UI)) + return ProcessLock(ComputeSiteInfo(isolation_context, url)); + + DCHECK_CURRENTLY_ON(BrowserThread::IO); + GURL lock_url = DetermineProcessLockURL(isolation_context, url); + bool is_origin_keyed = ChildProcessSecurityPolicyImpl::GetInstance() + ->ShouldOriginGetOptInIsolation( + isolation_context, url::Origin::Create(url)); + // In the SiteInfo constructor below we pass the lock url as the site URL + // also, assuming the IO-thread caller won't be looking at the site url. + return ProcessLock(SiteInfo(lock_url, lock_url, is_origin_keyed)); +} + +// static +// TODO(wjmaclean): remove this if the sole call from the IO thread can be +// removed. GURL SiteInstanceImpl::DetermineProcessLockURL( const IsolationContext& isolation_context, const GURL& url) { @@ -872,8 +976,7 @@ GURL SiteInstanceImpl::GetSiteForURLInternal( if (!origin.host().empty() && origin.scheme() != url::kFileScheme) { // For Strict Origin Isolation, use the full origin instead of site for all // HTTP/HTTPS URLs. Note that the HTTP/HTTPS restriction guarantees that - // we won't hit this for hosted app effective URLs, which would otherwise - // need to append a non-translated site URL to the hash below (see + // we won't hit this for hosted app effective URLs (see // https://crbug.com/961386). if (SiteIsolationPolicy::IsStrictOriginIsolationEnabled() && origin.GetURL().SchemeIsHTTPOrHTTPS()) @@ -889,39 +992,8 @@ GURL SiteInstanceImpl::GetSiteForURLInternal( auto* policy = ChildProcessSecurityPolicyImpl::GetInstance(); url::Origin isolated_origin; if (policy->GetMatchingIsolatedOrigin(isolation_context, origin, site_url, - &isolated_origin)) + &isolated_origin)) { return isolated_origin.GetURL(); - - // The following check will determine if we have a sub-origin that does - // not request isolation, but the base-origin does. In that case, we need - // to place the sub-origin into a different SiteInstance, effectively - // isolating it as well. - // TODO(wjmaclean): Remove this when we implement site-keyed and - // origin-keyed SiteInstances, since the call to GetMatchingIsolatedOrigin - // above should correctly cause non-isolated sub origins to go to the - // site-keyed SiteInstance, regardless of what the base origin does. - url::Origin base_origin = url::Origin::Create(site_url); - if (IsolatedOriginUtil::IsStrictSubdomain(origin, base_origin) && - policy->ShouldOriginGetOptInIsolation(isolation_context, base_origin)) { - return origin.GetURL(); - } - - // If an effective URL was used, augment the effective site URL with the - // underlying web site in the hash. This is needed to keep - // navigations across sites covered by one hosted app in separate - // SiteInstances. See https://crbug.com/791796. - // - // TODO(https://crbug.com/734722): Consider replacing this hack with - // a proper security principal. - if (should_use_effective_urls && url != real_url) { - std::string non_translated_site_url( - GetSiteForURLInternal(isolation_context, real_url, - false /* should_use_effective_urls */, - allow_default_site_url) - .spec()); - GURL::Replacements replacements; - replacements.SetRefStr(non_translated_site_url.c_str()); - site_url = site_url.ReplaceComponents(replacements); } } else { // If there is no host but there is a scheme, return the scheme. @@ -964,6 +1036,8 @@ GURL SiteInstanceImpl::GetSiteForURLInternal( } } + // We should never get here if we're origin_keyed, otherwise we would have + // returned after the GetMatchingIsolatedOrigin() call above. if (allow_default_site_url && CanBePlacedInDefaultSiteInstance(isolation_context, real_url, site_url)) { return GetDefaultSiteURL(); @@ -1087,7 +1161,7 @@ bool SiteInstanceImpl::DoesSiteURLRequireDedicatedProcess( } // static -bool SiteInstanceImpl::ShouldLockToOrigin( +bool SiteInstanceImpl::ShouldLockProcess( const IsolationContext& isolation_context, const GURL& site_url, const bool is_guest) { @@ -1125,33 +1199,19 @@ bool SiteInstanceImpl::ShouldLockToOrigin( // call sites of ChildProcessSecurityPolicy::CanAccessDataForOrigin, we // must give the embedder a chance to exempt some sites to avoid process // kills. - if (!GetContentClient()->browser()->ShouldLockToOrigin(browser_context, - site_url)) { + if (!GetContentClient()->browser()->ShouldLockProcess(browser_context, + site_url)) { return false; } return true; } -// static -base::Optional<url::Origin> SiteInstanceImpl::GetRequestInitiatorSiteLock( - GURL lock_url) { - // The following schemes are safe for sites that require a process lock: - // - data: - locking |request_initiator| to an opaque origin - // - http/https - requiring |request_initiator| to match |site_url| with - // DomainIs (i.e. suffix-based) comparison. - if (lock_url.SchemeIsHTTPOrHTTPS() || lock_url.SchemeIs(url::kDataScheme)) - return url::Origin::Create(lock_url); - - // Other schemes might not be safe to use as |request_initiator_site_lock|. - // One example is chrome-guest://... - return base::nullopt; -} - void SiteInstanceImpl::RenderProcessHostDestroyed(RenderProcessHost* host) { DCHECK_EQ(process_, host); process_->RemoveObserver(this); process_ = nullptr; + agent_scheduling_group_ = nullptr; } void SiteInstanceImpl::RenderProcessExited( @@ -1161,14 +1221,14 @@ void SiteInstanceImpl::RenderProcessExited( observer.RenderProcessGone(this, info); } -void SiteInstanceImpl::LockToOriginIfNeeded() { +void SiteInstanceImpl::LockProcessIfNeeded() { DCHECK(HasSite()); // From now on, this process should be considered "tainted" for future // process reuse decisions: - // (1) If |site_| required a dedicated process, this SiteInstance's process - // can only host URLs for the same site. - // (2) Even if |site_| does not require a dedicated process, this + // (1) If |site_info_| required a dedicated process, this SiteInstance's + // process can only host URLs for the same site. + // (2) Even if |site_info_| does not require a dedicated process, this // SiteInstance's process still cannot be reused to host other sites // requiring dedicated sites in the future. // We can get here either when we commit a URL into a SiteInstance that does @@ -1178,31 +1238,34 @@ void SiteInstanceImpl::LockToOriginIfNeeded() { ChildProcessSecurityPolicyImpl* policy = ChildProcessSecurityPolicyImpl::GetInstance(); - GURL process_lock = policy->GetOriginLock(process_->GetID()); - if (ShouldLockToOrigin(GetIsolationContext(), site_.site_url(), IsGuest())) { + ProcessLock process_lock = policy->GetProcessLock(process_->GetID()); + if (ShouldLockProcess(GetIsolationContext(), site_info_.site_url(), + IsGuest())) { // Sanity check that this won't try to assign an origin lock to a <webview> // process, which can't be locked. CHECK(!process_->IsForGuestsOnly()); + ProcessLock lock_to_set = GetProcessLock(); if (process_lock.is_empty()) { // TODO(nick): When all sites are isolated, this operation provides // strong protection. If only some sites are isolated, we need // additional logic to prevent the non-isolated sites from requesting // resources for isolated sites. https://crbug.com/509125 - TRACE_EVENT2("navigation", "SiteInstanceImpl::LockToOrigin", "site id", - id_, "lock", lock_url().possibly_invalid_spec()); - process_->LockToOrigin(GetIsolationContext(), lock_url()); - } else if (process_lock != lock_url()) { + TRACE_EVENT2("navigation", "RenderProcessHost::SetProcessLock", "site id", + id_, "lock", lock_to_set.ToString()); + process_->SetProcessLock(GetIsolationContext(), lock_to_set); + } else if (process_lock != lock_to_set) { // We should never attempt to reassign a different origin lock to a // process. base::debug::SetCrashKeyString(bad_message::GetRequestedSiteURLKey(), - site_.GetDebugString()); + site_info_.GetDebugString()); policy->LogKilledProcessOriginLock(process_->GetID()); - CHECK(false) << "Trying to lock a process to " << lock_url() - << " but the process is already locked to " << process_lock; + CHECK(false) << "Trying to lock a process to " << lock_to_set.ToString() + << " but the process is already locked to " + << process_lock.ToString(); } else { // Process already has the right origin lock assigned. This case will - // happen for commits to |site_| after the first one. + // happen for commits to |site_info_| after the first one. } } else { // If the site that we've just committed doesn't require a dedicated @@ -1210,10 +1273,10 @@ void SiteInstanceImpl::LockToOriginIfNeeded() { // does. if (!process_lock.is_empty()) { base::debug::SetCrashKeyString(bad_message::GetRequestedSiteURLKey(), - site_.GetDebugString()); + site_info_.GetDebugString()); policy->LogKilledProcessOriginLock(process_->GetID()); - CHECK(false) << "Trying to commit non-isolated site " << site_ - << " in process locked to " << process_lock; + CHECK(false) << "Trying to commit non-isolated site " << site_info_ + << " in process locked to " << process_lock.lock_url(); } } |