This reverts commit eb0a64dbb3.
Reason for revert: Causes a substantial increase in browser crashes on Canary.
Original change's description:
> Don't skip isolation check for empty BrowsingInstanceId in tests.
>
> This CL modifies GetMatchingProcessIsolatedOrigin to make sure that,
> if it's called with an IsolationContext that has no BrowsingInstanceId
> (which commonly happens in tests), that it gives the correct isolation
> when OriginKeyedProcessesByDefault is enabled.
>
> This bug doesn't exist without OriginKeyedProcessesByDefault enabled,
> since all that's left is opt-in/opt-out isolation, and neither of those can occur without a BrowsingInstanceId.
>
> Bug: 40259221
> Change-Id: Ib810c80f9710f8f270a7fad36abb2cbf5332d7a2
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5572325
> Reviewed-by: Charlie Reis <creis@chromium.org>
> Commit-Queue: W. James Maclean <wjmaclean@chromium.org>
> Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#1308848}
Bug: 40259221, 338792924
Change-Id: Ie0bba451babfb732b143d8bbdaaf9fe6d2b1fc61
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5592571
Commit-Queue: Wez <wez@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Auto-Submit: Wez <wez@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Charlie Reis <creis@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1309339}
This CL modifies GetMatchingProcessIsolatedOrigin to make sure that,
if it's called with an IsolationContext that has no BrowsingInstanceId
(which commonly happens in tests), that it gives the correct isolation
when OriginKeyedProcessesByDefault is enabled.
This bug doesn't exist without OriginKeyedProcessesByDefault enabled,
since all that's left is opt-in/opt-out isolation, and neither of those can occur without a BrowsingInstanceId.
Bug: 40259221
Change-Id: Ib810c80f9710f8f270a7fad36abb2cbf5332d7a2
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5572325
Reviewed-by: Charlie Reis <creis@chromium.org>
Commit-Queue: W. James Maclean <wjmaclean@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1308848}
This CL is a refactor to store the default OriginAgentIsolationState
in the IsolationContext owned by a BrowsingInstance. By doing this at
the creation of the BrowsingInstance, we snapshot the default in case it
dynamically changes (e.g. via a change in the value of the enterprise
policy OriginAgentClusterDefaultEnabled).
This refactor also allows CanAccessDataForOrigin access to a
BrowsingInstance's default isolation state so that it can appropriately
construct the expected_process_lock. This is potentially a behavior
change, but only after we introduce process-isolated default OAC in a
follow-on CL.
Bug: 1421329
Change-Id: I7829c151365b685c724f79e8d40c56dd27ec5819
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4427512
Commit-Queue: James Maclean <wjmaclean@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Code-Coverage: Findit <findit-for-me@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#1136085}
This CL implements process isolation for fenced frames (isolating
fenced frames from their embedders) behind a flag. It adds an
'is_fenced' attribute to SiteInfo and IsolationContext to help enforce
this isolation. Having the is_fenced bit in IsolationContext is used to
maintain the same value of is_fenced for all related SiteInstances
created in a particular BrowsingInstance (e.g., for subframes of a
fenced frame).
The changes here currently only have an effect when
the flag is enabled and strict site isolation is enabled. Changes for
other site isolation modes will be in future CLs. See attached bug for
more details on design (design doc, explainer).
Bug: 1340662
Change-Id: I821943158286c9fa69639ad1156112bd74a4410e
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3821704
Commit-Queue: Adithya Srinivasan <adithyas@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1041755}
This CL adds initial support for enabling site isolation inside
<webview> guests. This mode is behind a new feature called
SiteIsolationForGuests.
The overall approach is to stop using special chrome-guest: site URLs
when creating SiteInfos for guests. Instead, site-isolated guests use
real site URLs that are computed with the existing process model code,
and rely on SiteInfo::storage_partition_config to keep navigations
within guests in the same StoragePartition and in guest SiteInstances.
This CL supports cross-process navigations in guests, OOPIFs, and
cross-BrowsingInstance navigations in guests. A particular guest will
no longer be restricted to a single SiteInstance and BrowsingInstance,
though it will always stay in the same StoragePartition, and for all
SiteInstances in a guest, SiteInstance::IsGuest() will be true.
In the current SiteInstance assignment paths, there are various early
returns that make guests always in the same SiteInstance. Those are
now only used when the new feature is off. Since guests will now
descend much deeper into the SiteInstance assignment paths, we needed
an additional signal as to whether the new SiteInstance/SiteInfo would
be for a guest. To do this, instead of plumbing an additional flag to
places like SiteInfo::CreateInternal, is_guest is added to
IsolationContext which is already plumbed into all the needed code
paths (see SiteInfo::CreateInternal for how it's used). Conceptually,
IsolationContext::is_guest just says whether a particular
BrowsingInstance is for a guest or not, so that any related
SiteInstances within it stay in the guest.
To handle cross-BrowsingInstance navigations in guests,
SiteInstanceImpl::CreateForUrlInfo (which is normally used to create
a new SiteInstance in a new BrowsingInstance) is updated to be able to
handle guests, in which case the StoragePartition info needs to be
transferred into the new SiteInstance/BrowsingInstance.
The following are some things that are not part of this CL and will be
addressed in future CLs:
- converting <webview> tests to run in both the legacy and site
isolation modes. (This CL does add standalone tests to validate
site isolation properties.)
- embedder navigating <webview> to about:blank and siteless
SiteInstances.
- error page navigations, WebViewRendererState, loadDataWithBaseURL.
Bug: 1267977
Change-Id: I3b747640c083a302dc07ee4106af4f6d33928165
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3380343
Reviewed-by: James Maclean <wjmaclean@chromium.org>
Reviewed-by: Charles Reis <creis@chromium.org>
Commit-Queue: Alex Moshchuk <alexmos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#965525}
This CL replaces the return type of SiteInstance::GetBrowsingInstanceId
(int32_t before this CL, BrowsingInstanceId/base::IdType32 after this
CL) and fixes the resulting fall out (switching to use
BrowsingInstanceId instead of int32_t in other places in non-test code).
Bug: 1229798
Change-Id: I7ba69edb38be618b79a16a679c15edddb96be48a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3039322
Reviewed-by: Sigurður Ásgeirsson <siggi@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Cr-Commit-Position: refs/heads/master@{#904092}
Previously, isolated origins would apply globally for all profiles in
the entire browser. This CL introduces support for associating
isolated origins with specific BrowserContexts (i.e., profiles):
1. The API for adding new isolated origins,
ChildProcessSecurityPolicyImpl::AddIsolatedOrigins(), can now take
a BrowserContext in which the origin should apply.
2. Entries in the map of isolated origins are extended to optionally
contain the BrowserContext to which they apply. If this is not
specified, the corresponding isolated origin still applies globally
to all profiles. To facilitate checks on the IO thread, the
ResourceContext (BrowserContext's representation on the IO thread)
is also stored in the entry.
3. IsolationContext now also carries profile information (as
BrowserOrResourceContext), and GetMatchingIsolatedOrigin() consults
it to see if the profiles match when looking for matching isolated
origins. Various tests are updated to pass a proper BrowserContext
to the IsolationContexts they construct.
Bug: 905513
Change-Id: Iad1fd2ca4ea701f9e088d30fa1b8582de9fbed67
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1497794
Commit-Queue: Alex Moshchuk <alexmos@chromium.org>
Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org>
Cr-Commit-Position: refs/heads/master@{#638360}
This CL introduces an ability to add isolated origins at any time, rather
than only at browser startup. Isolated origins added dynamically will
apply only to future BrowsingInstances and processes.
To do this, the calls involved in making process model decisions and
looking up isolated origins, such as DoesSiteRequireDedicatedProcess,
need to be aware of which BrowsingInstance is asking. This CL adds
the required plumbing in the form of a new IsolationContext object.
For now, IsolationContext only contains the BrowsingInstance ID, but
in the future it will be extended to include BrowserContext info as
well, allowing isolated origins to also be scoped to particular
profiles. Calls that currently take both BrowserContext and
IsolationContext will be able to simply pass an IsolationContext.
Design doc: https://goo.gl/4xVPKW
Bug: 905513
Change-Id: I5d6fb7724524e85efe492da26077209fa90be1bf
Reviewed-on: https://chromium-review.googlesource.com/c/1377616
Commit-Queue: Alex Moshchuk <alexmos@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org>
Cr-Commit-Position: refs/heads/master@{#622715}
