
This CL introduces multiple SiteInstances per SiteInstanceGroup for subframe data: URLs. This feature is behind the feature flag kSiteInstanceGroupsForDataUrls, which is disabled by default, so there is no behaviour change in this CL. Subframe data: URLs will now have their own SiteInstance that goes in the same SiteInstanceGroup as its initiator. Currently, sandboxed data: subframes are excluded, as they require computing a variation of the initiator SiteInstance, which is out of scope for this CL and will be added in a followup. Because the new data: subframe shares a SiteInstanceGroup with its initiator, the number of processes remains the same as before. Test: Added SiteInstanceGroup browsertests Change-Id: If784b21ceccd440e35c0020053823ae287cf931d Bug: 40269084 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4675093 Reviewed-by: Andrey Kosyakov <caseq@chromium.org> Reviewed-by: Elly FJ <ellyjones@chromium.org> Reviewed-by: Charlie Reis <creis@chromium.org> Commit-Queue: Sharon Yang <yangsharon@chromium.org> Cr-Commit-Position: refs/heads/main@{#1382080}
398 lines
19 KiB
C++
398 lines
19 KiB
C++
// Copyright 2012 The Chromium Authors
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
#ifndef CONTENT_BROWSER_BROWSING_INSTANCE_H_
|
|
#define CONTENT_BROWSER_BROWSING_INSTANCE_H_
|
|
|
|
#include <stddef.h>
|
|
|
|
#include <optional>
|
|
|
|
#include "base/check_op.h"
|
|
#include "base/gtest_prod_util.h"
|
|
#include "base/lazy_instance.h"
|
|
#include "base/memory/raw_ptr.h"
|
|
#include "base/memory/ref_counted.h"
|
|
#include "content/browser/isolation_context.h"
|
|
#include "content/browser/security/coop/coop_related_group.h"
|
|
#include "content/browser/site_instance_group_manager.h"
|
|
#include "content/browser/web_exposed_isolation_info.h"
|
|
#include "content/common/content_export.h"
|
|
#include "content/public/browser/browser_context.h"
|
|
#include "content/public/browser/render_process_host_observer.h"
|
|
#include "content/public/browser/storage_partition_config.h"
|
|
#include "url/origin.h"
|
|
|
|
class GURL;
|
|
|
|
namespace content {
|
|
class SiteInfo;
|
|
class SiteInstanceGroup;
|
|
class SiteInstanceImpl;
|
|
struct UrlInfo;
|
|
|
|
///////////////////////////////////////////////////////////////////////////////
|
|
//
|
|
// BrowsingInstance class
|
|
//
|
|
// A browsing instance corresponds to the notion of a "unit of related browsing
|
|
// contexts" in the HTML 5 spec. Intuitively, it represents a collection of
|
|
// tabs and frames that can have script connections to each other. In that
|
|
// sense, it reflects the user interface, and not the contents of the tabs and
|
|
// frames.
|
|
//
|
|
// We further subdivide a BrowsingInstance into SiteInstances, which represent
|
|
// the documents within each BrowsingInstance that are from the same site and
|
|
// thus can have script access to each other. Different SiteInstances can
|
|
// safely run in different processes, because their documents cannot access
|
|
// each other's contents (due to the same origin policy).
|
|
//
|
|
// It is important to only have one SiteInstance per site within a given
|
|
// BrowsingInstance. This is because any two documents from the same site
|
|
// might be able to script each other if they are in the same BrowsingInstance.
|
|
// Thus, they must be rendered in the same process.
|
|
//
|
|
// A BrowsingInstance is live as long as any SiteInstance has a reference to
|
|
// it, and thus as long as any SiteInstanceGroup within it exists. A
|
|
// SiteInstance is live as long as any NavigationEntry or RenderFrameHost have
|
|
// references to it. Because both classes are RefCounted, they do not need to
|
|
// be manually deleted.
|
|
//
|
|
// BrowsingInstance has no public members, as it is designed to be
|
|
// visible only from the SiteInstance and CoopRelatedGroup classes. To get a new
|
|
// SiteInstance that is part of the same BrowsingInstance, use
|
|
// SiteInstance::GetRelatedSiteInstance. Because of this, BrowsingInstances and
|
|
// SiteInstances are tested together in site_instance_unittest.cc.
|
|
//
|
|
// Note that a browsing instance in the browser is independently tracked in
|
|
// the renderer inside blink::Page::RelatedPages() method (in theory the browser
|
|
// and renderer should always stay in sync).
|
|
//
|
|
///////////////////////////////////////////////////////////////////////////////
|
|
class CONTENT_EXPORT BrowsingInstance final
|
|
: public base::RefCounted<BrowsingInstance> {
|
|
public:
|
|
BrowsingInstance(const BrowsingInstance&) = delete;
|
|
BrowsingInstance& operator=(const BrowsingInstance&) = delete;
|
|
|
|
private:
|
|
friend class base::RefCounted<BrowsingInstance>;
|
|
friend class SiteInstanceGroup;
|
|
friend class SiteInstanceImpl;
|
|
friend class CoopRelatedGroup;
|
|
FRIEND_TEST_ALL_PREFIXES(SiteInstanceGroupTest, BrowsingInstanceLifetime);
|
|
FRIEND_TEST_ALL_PREFIXES(SiteInstanceTest, OneSiteInstancePerSite);
|
|
FRIEND_TEST_ALL_PREFIXES(SiteInstanceTest,
|
|
OneSiteInstancePerSiteInBrowserContext);
|
|
|
|
// Return an ID of the next BrowsingInstance to be created. This ID is
|
|
// guaranteed to be higher than any ID of an existing BrowsingInstance. This
|
|
// does *not* increment the global counter used for assigning
|
|
// BrowsingInstance IDs: that happens only in the BrowsingInstance
|
|
// constructor.
|
|
static BrowsingInstanceId NextBrowsingInstanceId();
|
|
|
|
// Create a new BrowsingInstance.
|
|
//
|
|
// `web_exposed_isolation_info` indicates whether the BrowsingInstance
|
|
// should contain only cross-origin isolated pages, i.e. pages with
|
|
// cross-origin-opener-policy set to same-origin and
|
|
// cross-origin-embedder-policy set to require-corp, and if so, from which
|
|
// top level origin.
|
|
//
|
|
// `is_guest` specifies whether this BrowsingInstance will
|
|
// be used in a <webview> guest; `is_fenced` specifies whether this
|
|
// BrowsingInstance is used inside a fenced frame.
|
|
// `is_fixed_storage_partition` indicates whether the current
|
|
// StoragePartition will apply to future navigations. It must be set to true
|
|
// if `is_guest` is true. Note that `is_guest`, `is_fenced`, and
|
|
// `is_fixed_storage_partition` cannot change over the lifetime of the
|
|
// BrowsingInstance.
|
|
//
|
|
// `coop_related_group` represents the CoopRelatedGroup to which this
|
|
// BrowsingInstance belongs. Pages that live in BrowsingInstances in the same
|
|
// group can communicate with each other through a subset of the WindowProxy
|
|
// APIs. This is only used for COOP logic and for all other cases should
|
|
// simply be nullptr. The constructor will take care of building a new group.
|
|
//
|
|
// If `common_coop_origin` is set, it indicates that all documents hosted by
|
|
// the BrowsingInstance have the same COOP value defined by the given origin.
|
|
explicit BrowsingInstance(
|
|
BrowserContext* context,
|
|
const WebExposedIsolationInfo& web_exposed_isolation_info,
|
|
bool is_guest,
|
|
bool is_fenced,
|
|
bool is_fixed_storage_partition,
|
|
const scoped_refptr<CoopRelatedGroup>& coop_related_group,
|
|
std::optional<url::Origin> common_coop_origin);
|
|
|
|
~BrowsingInstance();
|
|
|
|
// Get the browser context to which this BrowsingInstance belongs.
|
|
BrowserContext* GetBrowserContext() const;
|
|
|
|
// Get the IsolationContext associated with this BrowsingInstance. This can
|
|
// be used to track this BrowsingInstance in other areas of the code, along
|
|
// with any other state needed to make isolation decisions.
|
|
const IsolationContext& isolation_context() { return isolation_context_; }
|
|
|
|
// Return true if the StoragePartition should be preserved across future
|
|
// navigations in the frames belonging to this BrowsingInstance. For <webview>
|
|
// tags, this always returns true.
|
|
bool is_fixed_storage_partition() { return is_fixed_storage_partition_; }
|
|
|
|
// Get the SiteInstanceGroupManager that controls all of the SiteInstance
|
|
// groups associated with this BrowsingInstance.
|
|
SiteInstanceGroupManager& site_instance_group_manager() {
|
|
return site_instance_group_manager_;
|
|
}
|
|
|
|
// Returns whether this BrowsingInstance has registered a SiteInstance for
|
|
// the site of |site_info|.
|
|
bool HasSiteInstance(const SiteInfo& site_info);
|
|
|
|
// Get the SiteInstance responsible for rendering the given UrlInfo. Should
|
|
// create a new one if necessary, but should not create more than one
|
|
// SiteInstance per site.
|
|
//
|
|
// |allow_default_instance| should be set to true in cases where the caller
|
|
// is ok with |url| sharing a process with other sites that do not require
|
|
// a dedicated process. Note that setting this to true means that the
|
|
// SiteInstanceImpl you get back may return "http://unisolated.invalid" for
|
|
// GetSiteURL() and lock_url() calls because the default instance is not
|
|
// bound to a single site.
|
|
scoped_refptr<SiteInstanceImpl> GetSiteInstanceForURL(
|
|
const UrlInfo& url_info,
|
|
bool allow_default_instance);
|
|
|
|
// Same as above, but if a new SiteInstance needs to be created, it will be
|
|
// part of `creation_group`. A SiteInstance in a different group may be
|
|
// returned, if a matching SiteInstance already exists in this
|
|
// BrowsingInstance.
|
|
scoped_refptr<SiteInstanceImpl> GetSiteInstanceForURL(
|
|
const UrlInfo& url_info,
|
|
SiteInstanceGroup* creation_group,
|
|
bool allow_default_instance);
|
|
|
|
// This is the same as GetSiteInstanceForURL, but requires a valid
|
|
// `creation_group`. The returned SiteInstance could be in a different group
|
|
// if it exists already. If it is being created, the new SiteInstance will be
|
|
// in `creation_group`.
|
|
scoped_refptr<SiteInstanceImpl> GetMaybeGroupRelatedSiteInstanceForURL(
|
|
const UrlInfo& url_info,
|
|
SiteInstanceGroup* creation_group);
|
|
|
|
// Searches existing SiteInstances in the BrowsingInstance and returns a
|
|
// pointer to the (unique) SiteInstance that matches `site_info`, if any.
|
|
// If no matching SiteInstance is found, then a new SiteInstance is created
|
|
// in this BrowsingInstance with its site set to `site_info`.
|
|
scoped_refptr<SiteInstanceImpl> GetSiteInstanceForSiteInfo(
|
|
const SiteInfo& site_info);
|
|
|
|
// Return a SiteInstance in the same CoopRelatedGroup as this
|
|
// BrowsingInstance. It might or might not be in a new BrowsingInstance, and
|
|
// if it reuses an existing BrowsingInstance of the group, it might reuse an
|
|
// appropriate SiteInstance as well.
|
|
scoped_refptr<SiteInstanceImpl> GetCoopRelatedSiteInstanceForURL(
|
|
const UrlInfo& url_info,
|
|
bool allow_default_instance);
|
|
|
|
// Returns a SiteInfo with site and process-lock URLs for |url_info| that are
|
|
// identical with what these values would be if we called
|
|
// GetSiteInstanceForURL() with the same `url_info` and
|
|
// `allow_default_instance`. This method is used when we need this
|
|
// information, but do not want to create a SiteInstance yet.
|
|
//
|
|
// Note: Unlike ComputeSiteInfoForURL() this method can return a SiteInfo for
|
|
// a default SiteInstance, if `url_info` can be placed in the default
|
|
// SiteInstance and `allow_default_instance` is true.
|
|
//
|
|
// Note: Since we're asking to get a SiteInfo that would belong in this
|
|
// BrowsingInstance, it is mandatory that |url_info|'s
|
|
// web_exposed_isolation_info is compatible with the BrowsingInstance's
|
|
// internal WebExposedIsolationInfo value.
|
|
SiteInfo GetSiteInfoForURL(const UrlInfo& url_info,
|
|
bool allow_default_instance);
|
|
|
|
// Helper function used by GetSiteInstanceForURL() and GetSiteInfoForURL()
|
|
// that returns an existing SiteInstance from |site_instance_map_| or
|
|
// returns |default_site_instance_| if |allow_default_instance| is true and
|
|
// other conditions are met. If there is no existing SiteInstance that is
|
|
// appropriate for |url_info|, |allow_default_instance| combination, then a
|
|
// nullptr is returned.
|
|
//
|
|
// Note: This method is not intended to be called by code outside this object.
|
|
scoped_refptr<SiteInstanceImpl> GetSiteInstanceForURLHelper(
|
|
const UrlInfo& url_info,
|
|
bool allow_default_instance);
|
|
|
|
// Adds the given SiteInstance to our map, to ensure that we do not create
|
|
// another SiteInstance for the same site.
|
|
void RegisterSiteInstance(SiteInstanceImpl* site_instance);
|
|
|
|
// Removes the given SiteInstance from our map, after all references to it
|
|
// have been deleted. This means it is safe to create a new SiteInstance
|
|
// if the user later visits a page from this site, within this
|
|
// BrowsingInstance.
|
|
void UnregisterSiteInstance(SiteInstanceImpl* site_instance);
|
|
|
|
// Returns the token uniquely identifying the CoopRelatedGroup this
|
|
// BrowsingInstance belongs to. This might be used in the renderer, as opposed
|
|
// to IDs.
|
|
base::UnguessableToken coop_related_group_token() const {
|
|
return coop_related_group_->token();
|
|
}
|
|
|
|
// Returns the token uniquely identifying this BrowsingInstance. See member
|
|
// declaration for more context.
|
|
base::UnguessableToken token() const { return token_; }
|
|
|
|
// Returns the total number of WebContents either living in this
|
|
// BrowsingInstance or that can communicate with it via the CoopRelatedGroup.
|
|
size_t GetCoopRelatedGroupActiveContentsCount();
|
|
|
|
// Tracks the number of WebContents currently in this BrowsingInstance.
|
|
// Note: We also separately track the number of WebContents in the entire
|
|
// CoopRelatedGroup, and keep the per-BrowsingInstance counts for validity
|
|
// checks.
|
|
void IncrementActiveContentsCount();
|
|
void DecrementActiveContentsCount();
|
|
|
|
bool HasDefaultSiteInstance() const {
|
|
return default_site_instance_ != nullptr;
|
|
}
|
|
|
|
// Helper function used by other methods in this class to ensure consistent
|
|
// mapping between |url_info| and SiteInfo. This method will never return a
|
|
// SiteInfo for the default SiteInstance. It will always return something
|
|
// specific to |url_info|.
|
|
//
|
|
// Note: This should not be used by code outside this class.
|
|
SiteInfo ComputeSiteInfoForURL(const UrlInfo& url_info) const;
|
|
|
|
// Computes the number of extra SiteInstances for each site due to OAC's
|
|
// splitting a site into isolated origins.
|
|
int EstimateOriginAgentClusterOverhead();
|
|
|
|
// Map of SiteInfo to SiteInstance, to ensure we only have one SiteInstance
|
|
// per SiteInfo. See https://crbug.com/1085275#c2 for the rationale behind
|
|
// why SiteInfo is the right class to key this on.
|
|
typedef std::map<SiteInfo, raw_ptr<SiteInstanceImpl, CtnExperimental>>
|
|
SiteInstanceMap;
|
|
|
|
// Returns the cross-origin isolation status of the BrowsingInstance.
|
|
const WebExposedIsolationInfo& web_exposed_isolation_info() const {
|
|
return web_exposed_isolation_info_;
|
|
}
|
|
|
|
SiteInstanceImpl* default_site_instance() { return default_site_instance_; }
|
|
|
|
const std::optional<url::Origin>& common_coop_origin() const {
|
|
return common_coop_origin_;
|
|
}
|
|
|
|
// The next available browser-global BrowsingInstance ID.
|
|
static int next_browsing_instance_id_;
|
|
|
|
// The IsolationContext associated with this BrowsingInstance. This will not
|
|
// change after the BrowsingInstance is constructed.
|
|
//
|
|
// This holds a common BrowserContext to which all SiteInstances in this
|
|
// BrowsingInstance must belong.
|
|
const IsolationContext isolation_context_;
|
|
|
|
// Manages all SiteInstance groups for this BrowsingInstance.
|
|
SiteInstanceGroupManager site_instance_group_manager_;
|
|
|
|
// Map of site to SiteInstance, to ensure we only have one SiteInstance per
|
|
// site. The site string should be the possibly_invalid_spec() of a GURL
|
|
// obtained with SiteInstanceImpl::GetSiteForURL. Note that this map may not
|
|
// contain every active SiteInstance, because a race exists where two
|
|
// SiteInstances can be assigned to the same site. This is ok in rare cases.
|
|
// It also does not contain SiteInstances which have not yet been assigned a
|
|
// site, such as about:blank. See SiteInstance::ShouldAssignSiteForURL.
|
|
// This map only contains instances that map to a single site. The
|
|
// |default_site_instance_|, which associates multiple sites with a single
|
|
// instance, is not contained in this map.
|
|
SiteInstanceMap site_instance_map_;
|
|
|
|
// Number of WebContentses currently using this BrowsingInstance.
|
|
size_t active_contents_count_;
|
|
|
|
// SiteInstance to use if a URL does not correspond to an instance in
|
|
// |site_instance_map_| and it does not require a dedicated process.
|
|
// This field and site_instance_group_manager_.default_process_ are mutually
|
|
// exclusive and this field should only be set if
|
|
// kProcessSharingWithStrictSiteInstances is not enabled. This is a raw
|
|
// pointer to avoid a reference cycle between the BrowsingInstance and the
|
|
// SiteInstanceImpl. Note: This can hold cross-origin isolated SiteInstances.
|
|
// It will however only do so under certain specific circumstances (for
|
|
// example on a low memory device), which don't use the COOP isolation
|
|
// heuristic that normally prevents the use of default SiteInstances for
|
|
// cross-origin isolated pages.
|
|
raw_ptr<SiteInstanceImpl> default_site_instance_;
|
|
|
|
// The cross-origin isolation status of the BrowsingInstance. This indicates
|
|
// whether this BrowsingInstance is hosting only cross-origin isolated pages
|
|
// and if so, from which top level origin.
|
|
const WebExposedIsolationInfo web_exposed_isolation_info_;
|
|
|
|
// The StoragePartitionConfig that must be used by all SiteInstances in this
|
|
// BrowsingInstance. This will be set to the StoragePartitionConfig of the
|
|
// first SiteInstance that has its SiteInfo assigned in this
|
|
// BrowsingInstance, and cannot be changed afterwards.
|
|
//
|
|
// See crbug.com/1212266 for more context on why we track the
|
|
// StoragePartitionConfig here.
|
|
std::optional<StoragePartitionConfig> storage_partition_config_;
|
|
|
|
// The CoopRelatedGroup this BrowsingInstance belongs to. BrowsingInstances in
|
|
// the same CoopRelatedGroup have limited window proxy access to each other.
|
|
// In most cases, a CoopRelatedGroup will only contain a single
|
|
// BrowsingInstance, unless pages that use COOP: restrict-properties headers
|
|
// are involved.
|
|
scoped_refptr<CoopRelatedGroup> coop_related_group_;
|
|
|
|
// If set, indicates that all documents in this BrowsingInstance share the
|
|
// same COOP value defined by the given origin. In practice, this can only be
|
|
// the case for COOP: same-origin and COOP: restrict-properties.
|
|
//
|
|
// For COOP: same-origin, this will be enforced by COOP swap rules and the
|
|
// value is recorded for invariant checking.
|
|
//
|
|
// For COOP: restrict-properties, this is also used to make sure that the
|
|
// BrowsingInstance is suitable when we're trying to put a new document into
|
|
// an existing BrowsingInstance that is part of the CoopRelatedGroup. To
|
|
// prevent unwanted access, a document with COOP: restrict-properties set from
|
|
// origin a.com should only be put in a BrowsingInstance that holds such
|
|
// documents. This would otherwise break the access guarantees that we have
|
|
// given, of only being able to DOM script same-origin same-COOP documents,
|
|
// and to have limited cross-origin communication with all other pages.
|
|
//
|
|
// TODO(crbug.com/40879437): This assumes that popups opened from
|
|
// cross-origin iframes are opened with no-opener. Once COOP inheritance for
|
|
// those cases is figured out, change the mentions of origin to "COOP origin".
|
|
std::optional<url::Origin> common_coop_origin_;
|
|
|
|
// Set to true if the StoragePartition should be preserved across future
|
|
// navigations in the frames belonging to this BrowsingInstance. For <webview>
|
|
// tags, this is always true.
|
|
//
|
|
// TODO(crbug.com/40943418): We actually always want this behavior. Remove
|
|
// this bit when we are ready.
|
|
const bool is_fixed_storage_partition_;
|
|
|
|
// A token uniquely identifying this BrowsingInstance. This is used in case we
|
|
// need this information available in the renderer process, rather than
|
|
// sending an ID. Both IDs and Tokens are necessary, because some parts of the
|
|
// process model use the ordering of the IDs, that cannot be provided by
|
|
// tokens alone. Also note that IDs are defined in IsolationContext while
|
|
// tokens are more conveniently defined here.
|
|
const base::UnguessableToken token_ = base::UnguessableToken::Create();
|
|
};
|
|
|
|
} // namespace content
|
|
|
|
#endif // CONTENT_BROWSER_BROWSING_INSTANCE_H_
|