Move existing kSitePerProcess checks to a policy-oracle object

Introduces SiteIsolationPolicy, which interprets the kSitePerProcess
switch (and eventually others too), in order to make decisions about
oopifs, oopif-related features, and site isolation policy.

Replace explicit calls to HasSwitch(content::kSitePerProcess) with
calls to appropriate methods of SiteIsolationPolicy,
BrowserPluginGuestMode, or content's browser_test_utils.
SiteIsolationPolicy is content-internal, and I expect it eventually
to become a stateful object.

There are six cases:

1. SiteIsolationPolicy::DoesSiteRequireDedicatedProcess(url)  This
   anticipates site isolation being launched for a subset of
   sites/schemes.
2. BrowserPluginGuestMode::UseCrossProcessFramesForGuests()  Tracks
   some current feature work that requires out of process iframes and
   so piggybacks on --site-per-process. We ought to control this by a
   different flag
3. SiteIsolationPolicy::AreCrossProcessFramesPossible()  For dchecks
   and determining whether to create proxies -- basically it is the
   "or" of all of the above functions.
4. SiteIsolationPolicy::UseSubframeNavigationEntries()  Tracks some
   current feature work related to navigation, that's tied to --site-
   per-process. Expected to be shortlived.
5. IsSwappedOutStateForbidden()  (on RFHM/RFProxy) Another class of
   temporary feature work.
6. content::AreAllSitesIsolatedForTesting()  For bailing out of
   tests.

BUG=481066

Review URL: https://codereview.chromium.org/1208143002

Cr-Commit-Position: refs/heads/master@{#340570}

1 files changed, 12 insertions, 7 deletions

diff --git a/content/browser/site_instance_impl.cc b/content/browser/site_instance_impl.cc
index ad335f5..77f54bc 100644
--- a/content/browser/site_instance_impl.cc
+++ b/content/browser/site_instance_impl.cc
@@ -4,16 +4,15 @@
 
 #include "content/browser/site_instance_impl.h"
 
-#include "base/command_line.h"
 #include "content/browser/browsing_instance.h"
 #include "content/browser/child_process_security_policy_impl.h"
 #include "content/browser/frame_host/debug_urls.h"
 #include "content/browser/renderer_host/render_process_host_impl.h"
 #include "content/browser/storage_partition_impl.h"
+#include "content/common/site_isolation_policy.h"
 #include "content/public/browser/content_browser_client.h"
 #include "content/public/browser/render_process_host_factory.h"
 #include "content/public/browser/web_ui_controller_factory.h"
-#include "content/public/common/content_switches.h"
 #include "content/public/common/url_constants.h"
 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 
@@ -211,6 +210,12 @@ bool SiteInstanceImpl::HasWrongProcessForURL(const GURL& url) {
       GetProcess(), browsing_instance_->browser_context(), site_url);
 }
 
+bool SiteInstanceImpl::RequiresDedicatedProcess() {
+  if (!has_site_)
+    return false;
+  return SiteIsolationPolicy::DoesSiteRequireDedicatedProcess(site_);
+}
+
 void SiteInstanceImpl::IncrementRelatedActiveContentsCount() {
   browsing_instance_->increment_active_contents_count();
 }
@@ -341,11 +346,11 @@ void SiteInstanceImpl::RenderProcessHostDestroyed(RenderProcessHost* host) {
 }
 
 void SiteInstanceImpl::LockToOrigin() {
-  // We currently only restrict this process to a particular site if --site-per-
-  // process flag is present.
-  const base::CommandLine& command_line =
-      *base::CommandLine::ForCurrentProcess();
-  if (command_line.HasSwitch(switches::kSitePerProcess)) {
+  // TODO(nick): When all sites are isolated, this operation provides strong
+  // protection. If only some sites are isolated, we need additional logic to
+  // prevent the non-isolated sites from requesting resources for isolated
+  // sites. https://crbug.com/509125
+  if (SiteIsolationPolicy::DoesSiteRequireDedicatedProcess(site_)) {
     // Guest processes cannot be locked to its site because guests always have
     // a fixed SiteInstance. The site of GURLs a guest loads doesn't match that
     // SiteInstance. So we skip locking the guest process to the site.