chromium/src
0
Fork 0
Code Activity
Files
aa7669591cf060289ea900ef8d71b091f95b88a6
src/content/browser/site_instance_impl.h
Arthur Hemery 9a5d1bd7ff [CrossOriginIsolated] Clarify WebExposedIsolationInfo inheritances. 
UrlInfos are converted to SiteInfos to create and compare security
principals. In certain cases it is even converted to a ProcessLock such
as in RenderProcessHostImpl::IsSuitableHost(). When a navigation is
at the speculative stage (and some other niche cases) we won't have a
WebExposedIsolationInfo yet, because we haven't received security
headers or are outside of the standard security model (about:blank for
example). UrlInfo carries an optional WebExposedIsolationInfo but
SiteInfo represents a real object and must have a non optional value.
What do we put in the SiteInfos when converting if it's optional?

That's what this patch is trying to address, by doing the following:
- UrlInfo() and UrlInfoInit() are created with a nullopt value instead
  of a CreateNonIsolated() value. If people converting use explicit
  UrlInfo constructor, generally to make clear what attributes they're
  trying to compare, we will get nullopt in places where we do the
  conversions.
- When we're converting using half a UrlInfo, half a
  SiteInstance/BrowsingInstance, for example in DeriveSiteInfo(), we
  DCHECK that the WebExposedIsolationInfos are compatible. This way we
  avoid complicated semantics and possible interpretations.
- We override any optional value with a value that makes sense (usually
  the WebExposedIsolationInfo of the class we're half-using.)
- We add one single conversion point from optional to
  CreateNonIsolated() at the heart of the SiteInfo constructor, to
  accommodate for the cases where a new SiteInstance/BrowsingInstance
  must be created at a speculative stage for example.

Bug: 1243449
Change-Id: Ibd7a815c162a789403b1ac9dbd2efdc6f7475315
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3377183
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Commit-Queue: Arthur Hemery <ahemery@chromium.org>
Cr-Commit-Position: refs/heads/main@{#958524}
2022-01-13 11:17:45 +00:00

606 lines
28 KiB
C++
Raw Blame History

// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef CONTENT_BROWSER_SITE_INSTANCE_IMPL_H_
#define CONTENT_BROWSER_SITE_INSTANCE_IMPL_H_
#include <stddef.h>
#include <stdint.h>
#include "base/memory/raw_ptr.h"
#include "base/observer_list.h"
#include "content/browser/isolation_context.h"
#include "content/browser/site_info.h"
#include "content/browser/web_exposed_isolation_info.h"
#include "content/common/content_export.h"
#include "content/public/browser/render_process_host_observer.h"
#include "content/public/browser/site_instance.h"
#include "content/public/browser/storage_partition_config.h"
#include "third_party/perfetto/include/perfetto/tracing/traced_proto.h"
#include "third_party/perfetto/include/perfetto/tracing/traced_value_forward.h"
#include "url/gurl.h"
#include "url/origin.h"
namespace perfetto {
namespace protos {
namespace pbzero {
class SiteInstance;
}
} // namespace protos
} // namespace perfetto
namespace content {
class AgentSchedulingGroupHost;
class BrowsingInstance;
class RenderProcessHostFactory;
class SiteInstanceGroup;
class StoragePartitionConfig;
class StoragePartitionImpl;
struct UrlInfo;
class CONTENT_EXPORT SiteInstanceImpl final : public SiteInstance,
public RenderProcessHostObserver {
public:
class CONTENT_EXPORT Observer {
public:
// Called when this SiteInstance transitions to having no active frames,
// as measured by active_frame_count().
virtual void ActiveFrameCountIsZero(SiteInstanceImpl* site_instance) {}
// Called when the renderer process of this SiteInstance has exited. Note
// that GetProcess() still returns the same RenderProcessHost instance. You
// can reinitialize it by a call to GetProcess()->Init().
virtual void RenderProcessGone(SiteInstanceImpl* site_instance,
const ChildProcessTerminationInfo& info) {}
// Called when the RenderProcessHost for this SiteInstance has been
// destructed. After this, the underlying `process_` is cleared, and calling
// GetProcess() would assign a different RenderProcessHost to this
// SiteInstance.
virtual void RenderProcessHostDestroyed() {}
};
SiteInstanceImpl(const SiteInstanceImpl&) = delete;
SiteInstanceImpl& operator=(const SiteInstanceImpl&) = delete;
// Methods for creating new SiteInstances. The documentation for these methods
// are on the SiteInstance::Create* methods with the same name.
static scoped_refptr<SiteInstanceImpl> Create(
BrowserContext* browser_context);
// `url_info` contains the GURL for which we want to create a SiteInstance,
// along with other state relevant to making process allocation decisions.
static scoped_refptr<SiteInstanceImpl> CreateForUrlInfo(
BrowserContext* browser_context,
const UrlInfo& url_info);
static scoped_refptr<SiteInstanceImpl> CreateForGuest(
BrowserContext* browser_context,
const StoragePartitionConfig& partition_config);
// Creates a SiteInstance that will be use for a service worker.
// `url_info` - The UrlInfo for the service worker. It contains the URL and
// other information necessary to take process model decisions.
//
// Note: if `is_guest` is false, the URL is the main script URL.
// If `is_guest` is true, it is the <webview> guest site URL.
//
// Note: `url_info`'s web_exposed_isolation_info indicates the
// web-exposed isolation state of the main script (note that
// ServiceWorker "cross-origin isolation" does not require
// Cross-Origin-Opener-Policy to be set).
//
// `can_reuse_process` - Set to true if the new SiteInstance can use the
// same process as the renderer for `url_info`.
// `is_guest` - Set to true if the new SiteInstance is for a <webview>
// guest.
static scoped_refptr<SiteInstanceImpl> CreateForServiceWorker(
BrowserContext* browser_context,
const UrlInfo& url_info,
bool can_reuse_process = false,
bool is_guest = false);
// Creates a SiteInstance for |url| like CreateForUrlInfo() would except the
// instance that is returned has its process_reuse_policy set to
// REUSE_PENDING_OR_COMMITTED_SITE and the default SiteInstance will never
// be returned.
static scoped_refptr<SiteInstanceImpl> CreateReusableInstanceForTesting(
BrowserContext* browser_context,
const GURL& url);
// Creates a SiteInstance for |url| in a new BrowsingInstance for testing
// purposes. This works similarly to CreateForUrlInfo() but with default
// parameters that are suitable for most tests.
static scoped_refptr<SiteInstanceImpl> CreateForTesting(
BrowserContext* browser_context,
const GURL& url);
static bool ShouldAssignSiteForURL(const GURL& url);
// Returns the SiteInstanceGroup |this| belongs to.
// Currently, each SiteInstanceGroup has exactly one SiteInstance, but that
// will change as the migration continues. See crbug.com/1195535.
SiteInstanceGroup* group() { return site_instance_group_.get(); }
// Use this to get a related SiteInstance during navigations, where UrlInfo
// may be requesting opt-in isolation. Outside of navigations, callers just
// looking up an existing SiteInstance based on a GURL can use
// GetRelatedSiteInstance (overridden from SiteInstance).
scoped_refptr<SiteInstanceImpl> GetRelatedSiteInstanceImpl(
const UrlInfo& url_info);
bool IsSameSiteWithURLInfo(const UrlInfo& url_info);
// SiteInstance interface overrides.
SiteInstanceId GetId() override;
BrowsingInstanceId GetBrowsingInstanceId() override;
bool HasProcess() override;
RenderProcessHost* GetProcess() override;
BrowserContext* GetBrowserContext() override;
const GURL& GetSiteURL() override;
const StoragePartitionConfig& GetStoragePartitionConfig() override;
scoped_refptr<SiteInstance> GetRelatedSiteInstance(const GURL& url) override;
bool IsRelatedSiteInstance(const SiteInstance* instance) override;
size_t GetRelatedActiveContentsCount() override;
bool RequiresDedicatedProcess() override;
bool IsSameSiteWithURL(const GURL& url) override;
bool IsGuest() override;
SiteInstanceProcessAssignment GetLastProcessAssignmentOutcome() override;
void WriteIntoTrace(perfetto::TracedValue context) override;
int EstimateOriginAgentClusterOverheadForMetrics() override;
// Write a representation of this object into a trace.
void WriteIntoTrace(
perfetto::TracedProto<perfetto::protos::pbzero::SiteInstance> proto);
// This is called every time a renderer process is assigned to a SiteInstance
// and is used by the content embedder for collecting metrics.
void set_process_assignment(SiteInstanceProcessAssignment assignment) {
process_assignment_ = assignment;
}
// The policy to apply when selecting a RenderProcessHost for the
// SiteInstance. If no suitable RenderProcessHost for the SiteInstance exists
// according to the policy, and there are processes with unmatched service
// workers for the site, the newest process with an unmatched service worker
// is reused. If still no RenderProcessHost exists a new RenderProcessHost
// will be created unless the process limit has been reached. When the limit
// has been reached, the RenderProcessHost reused will be chosen randomly and
// not based on the site.
enum class ProcessReusePolicy {
// In this mode, all instances of the site will be hosted in the same
// RenderProcessHost.
PROCESS_PER_SITE,
// In this mode, the site will be rendered in a RenderProcessHost that is
// already in use for the site, either for a pending navigation or a
// committed navigation. If multiple such processes exist, ones that have
// foreground frames are given priority, and otherwise one is selected
// randomly.
REUSE_PENDING_OR_COMMITTED_SITE,
// In this mode, SiteInstances don't proactively reuse processes. An
// existing process with an unmatched service worker for the site is reused
// only for navigations, not for service workers. When the process limit has
// been reached, a randomly chosen RenderProcessHost is reused as in the
// other policies.
DEFAULT,
};
void set_process_reuse_policy(ProcessReusePolicy policy) {
CHECK(!IsDefaultSiteInstance());
process_reuse_policy_ = policy;
}
ProcessReusePolicy process_reuse_policy() const {
return process_reuse_policy_;
}
// Returns true if |has_site_| is true and |site_info_| indicates that the
// process-per-site model should be used.
bool ShouldUseProcessPerSite() const;
// Checks if |current_process| can be reused for this SiteInstance, and
// sets |process_| to |current_process| if so.
void ReuseCurrentProcessIfPossible(RenderProcessHost* current_process);
// Whether the SiteInstance is created for a service worker. If this flag
// is true, when a new process is created for this SiteInstance or a randomly
// chosen existing process is reused because of the process limit, the process
// will be tracked as having an unmatched service worker until reused by
// another SiteInstance from the same site.
bool is_for_service_worker() const { return is_for_service_worker_; }
// Returns the URL which was used to set the |site_info_| for this
// SiteInstance. May be empty if this SiteInstance does not have a
// |site_info_|.
const GURL& original_url() {
DCHECK(!IsDefaultSiteInstance());
return original_url_;
}
// This is primarily a helper for RenderFrameHostImpl::IsNavigationSameSite();
// most callers should use that API.
//
// Returns true if navigating a frame with (|last_successful_url| and
// |last_committed_origin|) to |dest_url_info| should stay in the same
// SiteInstance to preserve scripting relationships. |dest_url_info| carries
// additional state, e.g. if the destination url requests origin isolation.
//
// |for_main_frame| is set to true if the caller is interested in an
// answer for a main frame. This is set to false for subframe navigations.
// Note: In some circumstances, like hosted apps, different answers can be
// returned if we are navigating a main frame instead of a subframe.
bool IsNavigationSameSite(const GURL& last_successful_url,
const url::Origin last_committed_origin,
bool for_main_frame,
const UrlInfo& dest_url_info);
// Returns true if a navigation to |dest_url| should be allowed to stay in
// the current process due to effective URLs being involved in the
// navigation, even if the navigation would normally result in a new process.
//
// This is needed to avoid BrowsingInstance swaps in cases where same-site
// navigations transition from a hosted app to a non-hosted app URL and must
// be kept in the same process due to scripting requirements.
bool IsNavigationAllowedToStayInSameProcessDueToEffectiveURLs(
BrowserContext* browser_context,
bool for_main_frame,
const GURL& dest_url);
// SiteInfo related functions.
// Returns the SiteInfo principal identifying all documents and workers within
// this SiteInstance.
// TODO(wjmaclean): eventually this function will replace const GURL&
// GetSiteURL().
const SiteInfo& GetSiteInfo();
// Called when a RenderViewHost was created with this object. It returns the
// same information as GetSiteInfo(), but also enables extra checks to ensure
// that the StoragePartition info for this object does not change when
// |site_info_| is set. This is important to verify if the SiteInfo has not
// been explicitly set at the time of this call (e.g. first navigation in a
// new tab).
// TODO(acolwell) : Remove once RenderViewHost no longer needs to store a
// SiteInfo and can store a StoragePartitionConfig instead. Extra verification
// should be enabled when the config is fetched and |site_info_| has not been
// set yet.
const SiteInfo& GetSiteInfoForRenderViewHost();
// Derives a new SiteInfo based on this SiteInstance's current state, and
// the information provided in `url_info`. This function is slightly different
// than SiteInfo::Create() because it takes into account information
// specific to this SiteInstance, like whether it is a guest or not, and
// changes its behavior accordingly. `is_related` - Controls the SiteInfo
// returned for non-guest SiteInstances.
// Set to true if the caller wants the SiteInfo for an existing related
// SiteInstance associated with `url_info`. This is identical to what you
// would get from GetRelatedSiteInstanceImpl(url_info)->GetSiteInfo(). This
// may return the SiteInfo for the default SiteInstance so callers must be
// prepared to deal with that. If set to false, a SiteInfo created with
// SiteInfo::Create() is returned.
//
// For guest SiteInstances, `site_info_` is returned because guests are not
// allowed to derive new guest SiteInfos. All guest navigations must stay in
// the same SiteInstance with the same SiteInfo.
//
// Note: Since we're deriving the state of the SiteInfo based on both UrlInfo
// and SiteInstance, we verify internally that their WebExposedIsolationInfos
// are compatible.
SiteInfo DeriveSiteInfo(const UrlInfo& url_info, bool is_related = false);
// Helper function that returns the storage partition domain for this
// object.
// This is a temporary helper function used to verify that
// the partition domain computed using this SiteInstance's site URL matches
// the partition domain returned by storage_partition->GetPartitionDomain().
// If there is a mismatch, we call DumpWithoutCrashing() and return the value
// computed from the site URL since that is the legacy behavior.
//
// TODO(acolwell) : Remove this function and update callers to directly call
// storage_partition->GetPartitionDomain() once we've verified that this is
// safe.
std::string GetPartitionDomain(StoragePartitionImpl* storage_partition);
// Returns true if this SiteInstance is for a site that has JIT disabled.
bool IsJitDisabled();
// Returns true if this SiteInstance is for a site that contains PDF contents.
bool IsPdf();
// Set the web site that this SiteInstance is rendering pages for.
// This includes the scheme and registered domain, but not the port. If the
// URL does not have a valid registered domain, then the full hostname is
// stored. This method does not convert this instance into a default
// SiteInstance, but the BrowsingInstance will call this method with
// |url_info| set to GetDefaultSiteURL(), when it is creating its default
// SiteInstance.
void SetSite(const UrlInfo& url_info);
// Similar to SetSite(), but first attempts to convert this object to a
// default SiteInstance if |url_info| can be placed inside a default
// SiteInstance. If conversion is not possible, then the normal SetSite()
// logic is run.
void ConvertToDefaultOrSetSite(const UrlInfo& url_info);
// Returns whether SetSite() has been called.
bool HasSite() const;
// Returns whether there is currently a related SiteInstance (registered with
// BrowsingInstance) for the given SiteInfo. If so, we should try to avoid
// dedicating an unused SiteInstance to it (e.g., in a new tab).
bool HasRelatedSiteInstance(const SiteInfo& site_info);
// Returns whether this SiteInstance is compatible with and can host the given
// |url_info|. If not, the browser should force a SiteInstance swap when
// navigating to the URL in |url_info|.
bool IsSuitableForUrlInfo(const UrlInfo& url_info);
// Increase the number of active frames in this SiteInstance. This is
// increased when a frame is created.
void IncrementActiveFrameCount();
// Decrease the number of active frames in this SiteInstance. This is
// decreased when a frame is destroyed. Decrementing this to zero will notify
// observers, and may trigger deletion of proxies.
void DecrementActiveFrameCount();
// Get the number of active frames which belong to this SiteInstance. If
// there are no active frames left, all frames in this SiteInstance can be
// safely discarded.
size_t active_frame_count() { return active_frame_count_; }
// Increase the number of active WebContentses using this SiteInstance. Note
// that, unlike active_frame_count, this does not count pending RFHs.
void IncrementRelatedActiveContentsCount();
// Decrease the number of active WebContentses using this SiteInstance. Note
// that, unlike active_frame_count, this does not count pending RFHs.
void DecrementRelatedActiveContentsCount();
void AddObserver(Observer* observer);
void RemoveObserver(Observer* observer);
// Whether GetProcess() method (when it needs to find a new process to
// associate with the current SiteInstanceImpl) can return a spare process.
bool CanAssociateWithSpareProcess();
// Has no effect if the SiteInstanceImpl already has a |process_|.
// Otherwise, prevents GetProcess() from associating this SiteInstanceImpl
// with the spare RenderProcessHost - instead GetProcess will either need to
// create a new, not-yet-initialized/spawned RenderProcessHost or will need to
// reuse one of existing RenderProcessHosts.
//
// See also:
// - https://crbug.com/840409.
// - WebContents::CreateParams::desired_renderer_state
// - SiteInstanceImpl::CanAssociateWithSpareProcess().
void PreventAssociationWithSpareProcess();
// Returns the special site URL used by the default SiteInstance.
static const GURL& GetDefaultSiteURL();
// Get the effective URL for the given actual URL. This allows the
// ContentBrowserClient to override the SiteInstance's site for certain URLs.
// For example, Chrome uses this to replace hosted app URLs with extension
// hosts.
// Only public so that we can make a consistent process swap decision in
// RenderFrameHostManager.
static GURL GetEffectiveURL(BrowserContext* browser_context, const GURL& url);
// Return an ID of the next BrowsingInstance to be created. This ID is
// guaranteed to be higher than any ID of an existing BrowsingInstance.
// This is useful when process model decisions need to be scoped only to
// future BrowsingInstances. In particular, this can determine the cutoff in
// BrowsingInstance IDs when adding a new isolated origin dynamically.
static BrowsingInstanceId NextBrowsingInstanceId();
// Return the IsolationContext associated with this SiteInstance. This
// specifies context for making process model decisions, such as information
// about the current BrowsingInstance.
const IsolationContext& GetIsolationContext();
// Returns a process suitable for this SiteInstance if the
// SiteInstanceGroupManager has one available. A null pointer will be returned
// if this SiteInstance's group does not have a process yet or the
// SiteInstanceGroupManager does not have a default process that can be reused
// by this SiteInstance.
RenderProcessHost* GetSiteInstanceGroupProcessIfAvailable();
// Returns true if this object was constructed as a default site instance.
bool IsDefaultSiteInstance() const;
// Returns true if |site_url| is a site url that the BrowsingInstance has
// associated with its default SiteInstance.
bool IsSiteInDefaultSiteInstance(const GURL& site_url) const;
// Returns true if the SiteInfo for |url_info| matches the SiteInfo for this
// instance (i.e. GetSiteInfo()). Otherwise returns false.
bool DoesSiteInfoForURLMatch(const UrlInfo& url_info);
// Adds |origin| as a non-isolated origin within this BrowsingInstance due to
// an existing instance at the time of opt-in, so that future instances of it
// here won't be origin isolated.
void PreventOptInOriginIsolation(
const url::Origin& previously_visited_origin);
// Returns the current AgentSchedulingGroupHost this SiteInstance is
// associated with. Since the AgentSchedulingGroupHost *must* be assigned (and
// cleared) together with the RenderProcessHost, calling this method when no
// AgentSchedulingGroupHost is set will trigger the creation of a new
// RenderProcessHost (with a new ID).
AgentSchedulingGroupHost& GetAgentSchedulingGroup();
// Returns the web-exposed isolation status of the BrowsingInstance this
// SiteInstance is part of.
const WebExposedIsolationInfo& GetWebExposedIsolationInfo() const;
// Simple helper function that returns the is_isolated property of the
// WebExposedIsolationInfo of this BrowsingInstance.
bool IsCrossOriginIsolated() const;
private:
friend class BrowsingInstance;
friend class SiteInstanceTestBrowserClient;
// Friend tests that need direct access to IsSameSite().
friend class SiteInstanceTest;
// Create a new SiteInstance. Only BrowsingInstance should call this
// directly; clients should use Create() or GetRelatedSiteInstance() instead.
explicit SiteInstanceImpl(BrowsingInstance* browsing_instance);
~SiteInstanceImpl() override;
// RenderProcessHostObserver implementation.
void RenderProcessHostDestroyed(RenderProcessHost* host) override;
void RenderProcessExited(RenderProcessHost* host,
const ChildProcessTerminationInfo& info) override;
// Used to restrict a process' origin access rights. This method gets called
// when a process gets assigned to this SiteInstance and when the
// SiteInfo is explicitly set. If the SiteInfo hasn't been set yet and
// the current process lock is invalid, then this method sets the process
// to an "allow_any_site" lock. If the SiteInfo gets set to something that
// restricts access to a specific site, then the lock will be upgraded to a
// "lock_to_site" lock.
void LockProcessIfNeeded();
// If kProcessSharingWithStrictSiteInstances is enabled, this will check
// whether both a site and a process have been assigned to this SiteInstance,
// and if this doesn't require a dedicated process, will offer process_ to
// BrowsingInstance as the default process for SiteInstances that don't need
// a dedicated process.
void MaybeSetBrowsingInstanceDefaultProcess();
// Sets the SiteInfo and other fields so that this instance becomes a
// default SiteInstance.
void SetSiteInfoToDefault(
const StoragePartitionConfig& storage_partition_config);
// Sets |site_info_| with |site_info| and registers this object with
// |browsing_instance_|. SetSite() calls this method to set the site and lock
// for a user provided URL. This method should only be called by code that
// need to set the site and lock directly without any "url to site URL"
// transformation.
void SetSiteInfoInternal(const SiteInfo& site_info);
// Helper method to set the process of this SiteInstance, only in cases
// where it is safe. It is not generally safe to change the process of a
// SiteInstance, unless the RenderProcessHost itself is entirely destroyed and
// a new one later replaces it.
void SetProcessInternal(RenderProcessHost* process);
// Returns true if |original_url()| is the same site as
// |dest_url_info| or this object is a default SiteInstance and can be
// considered the same site as |dest_url_info|.
bool IsOriginalUrlSameSite(const UrlInfo& dest_url_info,
bool should_compare_effective_urls);
// Add |site_info| to the set that tracks what sites have been allowed
// to be handled by this default SiteInstance.
void AddSiteInfoToDefault(const SiteInfo& site_info);
// Return whether both UrlInfos must share a process to preserve script
// relationships. The decision is based on a variety of factors such as
// the registered domain of the URLs (google.com, bbc.co.uk), the scheme
// (https, http), and isolated origins. Note that if the destination is a
// blank page, we consider that to be part of the same web site for the
// purposes for process assignment. |should_compare_effective_urls| allows
// comparing URLs without converting them to effective URLs first. This is
// useful for avoiding OOPIFs when otherwise same-site URLs may look
// cross-site via their effective URLs.
// Note: This method is private because it is an internal detail of this class
// and there is subtlety around how it can be called because of hosted
// apps. Most code outside this class should call
// RenderFrameHostImpl::IsNavigationSameSite() instead.
static bool IsSameSite(const IsolationContext& isolation_context,
const UrlInfo& src_url_info,
const UrlInfo& dest_url_info,
bool should_compare_effective_urls);
// True if |url| resolves to an effective URL that is different from |url|.
// See GetEffectiveURL(). This will be true for hosted apps as well as NTP
// URLs.
static bool HasEffectiveURL(BrowserContext* browser_context, const GURL& url);
// Returns true if |url| and its |site_url| can be placed inside a default
// SiteInstance.
//
// Note: |url| and |site_info| must be consistent with each other. In contexts
// where the caller only has |url| it can use
// SiteInfo::Create() to generate |site_info|. This call is
// intentionally not set as a default value to encourage the caller to reuse
// a SiteInfo computation if they already have one.
static bool CanBePlacedInDefaultSiteInstance(
const IsolationContext& isolation_context,
const GURL& url,
const SiteInfo& site_info);
// An object used to construct RenderProcessHosts.
static const RenderProcessHostFactory* g_render_process_host_factory_;
// A unique ID for this SiteInstance.
SiteInstanceId id_;
// Determines which RenderViewHosts, RenderWidgetHosts, and
// RenderFrameProxyHosts it uses. See the class-level comment of
// SiteInstanceGroup for more details.
scoped_refptr<SiteInstanceGroup> site_instance_group_;
// The number of active frames in this SiteInstance.
size_t active_frame_count_;
// BrowsingInstance to which this SiteInstance belongs.
scoped_refptr<BrowsingInstance> browsing_instance_;
// Current RenderProcessHost that is rendering pages for this SiteInstance,
// and AgentSchedulingGroupHost (within the process) this SiteInstance belongs
// to. Since AgentSchedulingGroupHost is associated with a specific
// RenderProcessHost, these *must be* changed together to avoid UAF!
// The |process_| pointer (and hence the |agent_scheduling_group_| pointer as
// well) will only change once the RenderProcessHost is destructed. They will
// still remain the same even if the process crashes, since in that scenario
// the RenderProcessHost remains the same.
raw_ptr<RenderProcessHost> process_;
raw_ptr<AgentSchedulingGroupHost> agent_scheduling_group_;
// Describes the desired behavior when GetProcess() method needs to find a new
// process to associate with the current SiteInstanceImpl. If |false|, then
// prevents the spare RenderProcessHost from being taken and stored in
// |process_|.
bool can_associate_with_spare_process_;
// The SiteInfo that this SiteInstance is rendering pages for.
SiteInfo site_info_;
// Whether SetSite has been called.
bool has_site_;
// The URL which was used to set the |site_info_| for this SiteInstance.
GURL original_url_;
// The ProcessReusePolicy to use when creating a RenderProcessHost for this
// SiteInstance.
ProcessReusePolicy process_reuse_policy_;
// Whether the SiteInstance was created for a service worker.
bool is_for_service_worker_;
// How |this| was last assigned to a renderer process.
SiteInstanceProcessAssignment process_assignment_;
base::ObserverList<Observer, true>::Unchecked observers_;
// Contains the state that is only required for default SiteInstances.
class DefaultSiteInstanceState;
std::unique_ptr<DefaultSiteInstanceState> default_site_instance_state_;
// Keeps track of whether we need to verify that the StoragePartition
// information does not change when `site_info_` is set.
bool verify_storage_partition_info_ = false;
};
} // namespace content
#endif // CONTENT_BROWSER_SITE_INSTANCE_IMPL_H_
View Git Blame Copy Permalink