Remove --enable-strict-site-isolation from code and comments.

--site-per-process is the new hotness.

BUG=497306

Review URL: https://codereview.chromium.org/1144253003

Cr-Commit-Position: refs/heads/master@{#333525}

11 files changed, 31 insertions, 132 deletions

diff --git a/chrome/browser/prerender/prerender_contents.cc b/chrome/browser/prerender/prerender_contents.cc
index ebe6549..fb7daa9 100644
--- a/chrome/browser/prerender/prerender_contents.cc
+++ b/chrome/browser/prerender/prerender_contents.cc
@@ -90,11 +90,11 @@ class PrerenderContents::WebContentsDelegateImpl
                               const OpenURLParams& params) override {
     // |OpenURLFromTab| is typically called when a frame performs a navigation
     // that requires the browser to perform the transition instead of WebKit.
-    // Examples include prerendering a site that redirects to an app URL,
-    // or if --enable-strict-site-isolation is specified and the prerendered
-    // frame redirects to a different origin.
-    // TODO(cbentzel): Consider supporting this if it is a common case during
-    // prerenders.
+    // Examples include prerendering a site that redirects to an app URL, or if
+    // --site-per-process is specified and the prerendered frame redirects to a
+    // different origin.
+    // TODO(cbentzel): Consider supporting this for CURRENT_TAB dispositions, if
+    // it is a common case during prerenders.
     prerender_contents_->Destroy(FINAL_STATUS_OPEN_URL);
     return NULL;
   }
diff --git a/content/browser/child_process_security_policy_impl.cc b/content/browser/child_process_security_policy_impl.cc
index 34caa5a..5b03dfc 100644
--- a/content/browser/child_process_security_policy_impl.cc
+++ b/content/browser/child_process_security_policy_impl.cc
@@ -235,26 +235,6 @@ class ChildProcessSecurityPolicyImpl::SecurityState {
     return origin_lock_ == site_gurl;
   }
 
-  bool CanSendCookiesForOrigin(const GURL& gurl) {
-    // We only block cross-site cookies on network requests if the
-    // --enable-strict-site-isolation flag is passed.  This is expected to break
-    // compatibility with many sites.  The similar --site-per-process flag only
-    // blocks JavaScript access to cross-site cookies (in
-    // CanAccessCookiesForOrigin).
-    const base::CommandLine& command_line =
-        *base::CommandLine::ForCurrentProcess();
-    if (!command_line.HasSwitch(switches::kEnableStrictSiteIsolation))
-      return true;
-
-    if (origin_lock_.is_empty())
-      return true;
-    // TODO(creis): We must pass the valid browser_context to convert hosted
-    // apps URLs.  Currently, hosted apps cannot set cookies in this mode.
-    // See http://crbug.com/160576.
-    GURL site_gurl = SiteInstanceImpl::GetSiteForURL(NULL, gurl);
-    return origin_lock_ == site_gurl;
-  }
-
   void LockToOrigin(const GURL& gurl) {
     origin_lock_ = gurl;
   }
@@ -822,26 +802,6 @@ bool ChildProcessSecurityPolicyImpl::CanAccessCookiesForOrigin(
   return state->second->CanAccessCookiesForOrigin(gurl);
 }
 
-bool ChildProcessSecurityPolicyImpl::CanSendCookiesForOrigin(int child_id,
-                                                             const GURL& gurl) {
-  for (PluginProcessHostIterator iter; !iter.Done(); ++iter) {
-    if (iter.GetData().id == child_id) {
-      if (iter.GetData().process_type == PROCESS_TYPE_PLUGIN) {
-        // NPAPI plugin processes are unsandboxed and so are trusted. Plugins
-        // can make request to any origin.
-        return true;
-      }
-      break;
-    }
-  }
-
-  base::AutoLock lock(lock_);
-  SecurityStateMap::iterator state = security_state_.find(child_id);
-  if (state == security_state_.end())
-    return false;
-  return state->second->CanSendCookiesForOrigin(gurl);
-}
-
 void ChildProcessSecurityPolicyImpl::LockToOrigin(int child_id,
                                                   const GURL& gurl) {
   // "gurl" can be currently empty in some cases, such as file://blah.
diff --git a/content/browser/child_process_security_policy_impl.h b/content/browser/child_process_security_policy_impl.h
index db673c1..61486b9 100644
--- a/content/browser/child_process_security_policy_impl.h
+++ b/content/browser/child_process_security_policy_impl.h
@@ -148,20 +148,12 @@ class CONTENT_EXPORT ChildProcessSecurityPolicyImpl
   // Returns true if the process is permitted to read and modify the cookies for
   // the given origin.  Does not affect cookies attached to or set by network
   // requests.
-  // Only might return false if the very experimental
-  // --enable-strict-site-isolation or --site-per-process flags are used.
+  // Only might return false if the --site-per-process flag is used.
   bool CanAccessCookiesForOrigin(int child_id, const GURL& gurl);
 
-  // Returns true if the process is permitted to attach cookies to (or have
-  // cookies set by) network requests.
-  // Only might return false if the very experimental
-  // --enable-strict-site-isolation or --site-per-process flags are used.
-  bool CanSendCookiesForOrigin(int child_id, const GURL& gurl);
-
   // Sets the process as only permitted to use and see the cookies for the
   // given origin.
-  // Only used if the very experimental --enable-strict-site-isolation or
-  // --site-per-process flags are used.
+  // Origin lock is applied only if the --site-per-process flag is used.
   void LockToOrigin(int child_id, const GURL& gurl);
 
   // Register FileSystem type and permission policy which should be used
diff --git a/content/browser/loader/resource_dispatcher_host_impl.cc b/content/browser/loader/resource_dispatcher_host_impl.cc
index baaf2f9..c69bcdb 100644
--- a/content/browser/loader/resource_dispatcher_host_impl.cc
+++ b/content/browser/loader/resource_dispatcher_host_impl.cc
@@ -2352,11 +2352,6 @@ int ResourceDispatcherHostImpl::BuildLoadFlagsForRequest(
 
   ChildProcessSecurityPolicyImpl* policy =
       ChildProcessSecurityPolicyImpl::GetInstance();
-  if (!policy->CanSendCookiesForOrigin(child_id, request_data.url)) {
-    load_flags |= (net::LOAD_DO_NOT_SEND_COOKIES |
-                   net::LOAD_DO_NOT_SEND_AUTH_DATA |
-                   net::LOAD_DO_NOT_SAVE_COOKIES);
-  }
 
   // Raw headers are sensitive, as they include Cookie/Set-Cookie, so only
   // allow requesting them if requester has ReadRawCookies permission.
diff --git a/content/browser/renderer_host/render_process_host_impl.cc b/content/browser/renderer_host/render_process_host_impl.cc
index d4da1d4..e03ec5b 100644
--- a/content/browser/renderer_host/render_process_host_impl.cc
+++ b/content/browser/renderer_host/render_process_host_impl.cc
@@ -1292,7 +1292,6 @@ void RenderProcessHostImpl::PropagateBrowserCommandLineToRenderer(
     switches::kEnableSmoothScrolling,
     switches::kEnableStaleWhileRevalidate,
     switches::kEnableStatsTable,
-    switches::kEnableStrictSiteIsolation,
     switches::kEnableThreadedCompositing,
     switches::kEnableTouchDragDrop,
     switches::kEnableTouchEditing,
@@ -1942,16 +1941,14 @@ RenderProcessHost* RenderProcessHost::FromID(int render_process_id) {
 // static
 bool RenderProcessHost::ShouldTryToUseExistingProcessHost(
     BrowserContext* browser_context, const GURL& url) {
-  // Experimental:
-  // If --enable-strict-site-isolation or --site-per-process is enabled, do not
-  // try to reuse renderer processes when over the limit.  (We could allow pages
-  // from the same site to share, if we knew what the given process was
-  // dedicated to.  Allowing no sharing is simpler for now.)  This may cause
-  // resource exhaustion issues if too many sites are open at once.
+  // If --site-per-process is enabled, do not try to reuse renderer processes
+  // when over the limit.  (We could allow pages from the same site to share, if
+  // we knew what the given process was dedicated to.  Allowing no sharing is
+  // simpler for now.)  This may cause resource exhaustion issues if too many
+  // sites are open at once.
   const base::CommandLine& command_line =
       *base::CommandLine::ForCurrentProcess();
-  if (command_line.HasSwitch(switches::kEnableStrictSiteIsolation) ||
-      command_line.HasSwitch(switches::kSitePerProcess))
+  if (command_line.HasSwitch(switches::kSitePerProcess))
     return false;
 
   if (run_renderer_in_process())
diff --git a/content/browser/renderer_host/render_process_host_unittest.cc b/content/browser/renderer_host/render_process_host_unittest.cc
index e25c53c..83aa6b2 100644
--- a/content/browser/renderer_host/render_process_host_unittest.cc
+++ b/content/browser/renderer_host/render_process_host_unittest.cc
@@ -33,13 +33,11 @@ TEST_F(RenderProcessHostUnitTest, GuestsAreNotSuitableHosts) {
 
 #if !defined(OS_ANDROID)
 TEST_F(RenderProcessHostUnitTest, RendererProcessLimit) {
-  // This test shouldn't run with --site-per-process or
-  // --enable-strict-site-isolation modes, since they don't allow renderer
-  // process reuse, which this test explicitly exercises.
+  // This test shouldn't run with --site-per-process mode, which prohibits
+  // the renderer process reuse this test explicitly exercises.
   const base::CommandLine& command_line =
       *base::CommandLine::ForCurrentProcess();
-  if (command_line.HasSwitch(switches::kSitePerProcess) ||
-      command_line.HasSwitch(switches::kEnableStrictSiteIsolation))
+  if (command_line.HasSwitch(switches::kSitePerProcess))
     return;
 
   // Disable any overrides.
diff --git a/content/browser/site_instance_impl.cc b/content/browser/site_instance_impl.cc
index 5930d83..f17d578 100644
--- a/content/browser/site_instance_impl.cc
+++ b/content/browser/site_instance_impl.cc
@@ -341,12 +341,11 @@ void SiteInstanceImpl::RenderProcessHostDestroyed(RenderProcessHost* host) {
 }
 
 void SiteInstanceImpl::LockToOrigin() {
-  // We currently only restrict this process to a particular site if the
-  // --enable-strict-site-isolation or --site-per-process flags are present.
+  // We currently only restrict this process to a particular site if --site-per-
+  // process flag is present.
   const base::CommandLine& command_line =
       *base::CommandLine::ForCurrentProcess();
-  if (command_line.HasSwitch(switches::kEnableStrictSiteIsolation) ||
-      command_line.HasSwitch(switches::kSitePerProcess)) {
+  if (command_line.HasSwitch(switches::kSitePerProcess)) {
     ChildProcessSecurityPolicyImpl* policy =
         ChildProcessSecurityPolicyImpl::GetInstance();
     policy->LockToOrigin(process_->GetID(), site_);
diff --git a/content/browser/site_instance_impl_unittest.cc b/content/browser/site_instance_impl_unittest.cc
index ff32c38..4f90163 100644
--- a/content/browser/site_instance_impl_unittest.cc
+++ b/content/browser/site_instance_impl_unittest.cc
@@ -567,13 +567,11 @@ static SiteInstanceImpl* CreateSiteInstance(BrowserContext* browser_context,
 // Test to ensure that pages that require certain privileges are grouped
 // in processes with similar pages.
 TEST_F(SiteInstanceTest, ProcessSharingByType) {
-  // This test shouldn't run with --site-per-process or
-  // --enable-strict-site-isolation modes, since they don't allow render
-  // process reuse, which this test explicitly exercises.
+  // This test shouldn't run with --site-per-process mode, which prohibits
+  // the renderer process reuse this test explicitly exercises.
   const base::CommandLine& command_line =
       *base::CommandLine::ForCurrentProcess();
-  if (command_line.HasSwitch(switches::kSitePerProcess) ||
-      command_line.HasSwitch(switches::kEnableStrictSiteIsolation))
+  if (command_line.HasSwitch(switches::kSitePerProcess))
     return;
 
   // On Android by default the number of renderer hosts is unlimited and process
diff --git a/content/public/common/content_switches.cc b/content/public/common/content_switches.cc
index f7c94dd..3c4416e 100644
--- a/content/public/common/content_switches.cc
+++ b/content/public/common/content_switches.cc
@@ -437,18 +437,6 @@ const char kEnableStaleWhileRevalidate[]    = "enable-stale-while-revalidate";
 // Enables StatsTable, logging statistics to a global named shared memory table.
 const char kEnableStatsTable[]              = "enable-stats-table";
 
-// Experimentally ensures that each renderer process:
-// 1) Only handles rendering for pages from a single site, apart from iframes.
-// (Note that a page can reference content from multiple origins due to images,
-// JavaScript files, etc.  Cross-site iframes are also loaded in-process.)
-// 2) Only has authority to see or use cookies for the page's top-level origin.
-// (So if a.com iframes b.com, the b.com network request will be sent without
-// cookies.)
-// This is expected to break compatibility with many pages for now.  Unlike the
-// --site-per-process flag, this allows cross-site iframes, but it blocks all
-// cookies on cross-site requests.
-const char kEnableStrictSiteIsolation[]     = "enable-strict-site-isolation";
-
 // Blocks all insecure requests from secure contexts, and prevents the user
 // from overriding that decision.
 const char kEnableStrictMixedContentChecking[] =
@@ -749,15 +737,16 @@ const char kShowPaintRects[]                = "show-paint-rects";
 // Runs the renderer and plugins in the same process as the browser
 const char kSingleProcess[]                 = "single-process";
 
-// Experimentally enforces a one-site-per-process security policy.
-// All cross-site navigations force process swaps, and we can restrict a
-// renderer process's access rights based on its site.  For details, see:
-// http://www.chromium.org/developers/design-documents/site-isolation
+// Enforces a one-site-per-process security policy:
+//  * Each renderer process, for its whole lifetime, is dedicated to rendering
+//    pages for just one site.
+//  * Thus, pages from different sites are never in the same process.
+//  * A renderer process's access rights are restricted based on its site.
+//  * All cross-site navigations force process swaps.
+//  * <iframe>s are rendered out-of-process whenever the src= is cross-site.
 //
-// Unlike --enable-strict-site-isolation (which allows cross-site iframes),
-// this flag does not affect which cookies are attached to cross-site requests.
-// Support is being added to render cross-site iframes in a different process
-// than their parent pages.
+// More details here:
+// http://www.chromium.org/developers/design-documents/site-isolation
 const char kSitePerProcess[]                = "site-per-process";
 
 // Skip gpu info collection, blacklist loading, and blacklist auto-update
diff --git a/content/public/common/content_switches.h b/content/public/common/content_switches.h
index ce84514..236e266 100644
--- a/content/public/common/content_switches.h
+++ b/content/public/common/content_switches.h
@@ -133,7 +133,6 @@ CONTENT_EXPORT extern const char kEnableStaleWhileRevalidate[];
 CONTENT_EXPORT extern const char kEnableStatsTable[];
 CONTENT_EXPORT extern const char kEnableStrictMixedContentChecking[];
 CONTENT_EXPORT extern const char kEnableStrictPowerfulFeatureRestrictions[];
-CONTENT_EXPORT extern const char kEnableStrictSiteIsolation[];
 CONTENT_EXPORT extern const char kEnableServiceWorkerSync[];
 CONTENT_EXPORT extern const char kEnableTcpFastOpen[];
 CONTENT_EXPORT extern const char kEnableThreadedCompositing[];
diff --git a/content/renderer/render_frame_impl.cc b/content/renderer/render_frame_impl.cc
index 126821d..704c207 100644
--- a/content/renderer/render_frame_impl.cc
+++ b/content/renderer/render_frame_impl.cc
@@ -4161,34 +4161,6 @@ WebNavigationPolicy RenderFrameImpl::DecidePolicyForNavigation(
   bool is_content_initiated =
       document_state->navigation_state()->IsContentInitiated();
 
-  // Experimental:
-  // If --enable-strict-site-isolation is enabled, send all top-level
-  // navigations to the browser to let it swap processes when crossing site
-  // boundaries.  This is currently expected to break some script calls and
-  // navigations, such as form submissions.
-  bool force_swap_due_to_flag =
-      command_line.HasSwitch(switches::kEnableStrictSiteIsolation);
-  if (force_swap_due_to_flag &&
-      !info.frame->parent() && (is_content_initiated || info.isRedirect)) {
-    WebString origin_str = info.frame->document().securityOrigin().toString();
-    GURL frame_url(origin_str.utf8().data());
-    // TODO(cevans): revisit whether this site check is still necessary once
-    // crbug.com/101395 is fixed.
-    bool same_domain_or_host =
-        net::registry_controlled_domains::SameDomainOrHost(
-            frame_url,
-            url,
-            net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES);
-    // Only keep same-site (domain + scheme) and data URLs in the same process.
-    bool is_same_site =
-        (same_domain_or_host && frame_url.scheme() == url.scheme()) ||
-        url.SchemeIs(url::kDataScheme);
-    if (!is_same_site) {
-      OpenURL(info.frame, url, referrer, info.defaultPolicy);
-      return blink::WebNavigationPolicyIgnore;
-    }
-  }
-
   // If the browser is interested, then give it a chance to look at the request.
   if (is_content_initiated) {
     bool is_form_post =