diff options
| author | nick <nick@chromium.org> | 2015-07-27 14:51:08 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2015-07-27 21:51:38 +0000 |
| commit | d30fd969388ba0ffe122eb63c22776aa02a8836f (patch) | |
| tree | e2117fa68c6350c6b5c1dcc7abed29eca33efe4e /content/common/site_isolation_policy.h | |
| parent | 17de7455a3a1d5e4556d1ed18961e42d987e36c2 (diff) | |
| download | chromium_src-d30fd969388ba0ffe122eb63c22776aa02a8836f.zip chromium_src-d30fd969388ba0ffe122eb63c22776aa02a8836f.tar.gz chromium_src-d30fd969388ba0ffe122eb63c22776aa02a8836f.tar.bz2 | |
Move existing kSitePerProcess checks to a policy-oracle object
Introduces SiteIsolationPolicy, which interprets the kSitePerProcess
switch (and eventually others too), in order to make decisions about
oopifs, oopif-related features, and site isolation policy.
Replace explicit calls to HasSwitch(content::kSitePerProcess) with
calls to appropriate methods of SiteIsolationPolicy,
BrowserPluginGuestMode, or content's browser_test_utils.
SiteIsolationPolicy is content-internal, and I expect it eventually
to become a stateful object.
There are six cases:
1. SiteIsolationPolicy::DoesSiteRequireDedicatedProcess(url) This
anticipates site isolation being launched for a subset of
sites/schemes.
2. BrowserPluginGuestMode::UseCrossProcessFramesForGuests() Tracks
some current feature work that requires out of process iframes and
so piggybacks on --site-per-process. We ought to control this by a
different flag
3. SiteIsolationPolicy::AreCrossProcessFramesPossible() For dchecks
and determining whether to create proxies -- basically it is the
"or" of all of the above functions.
4. SiteIsolationPolicy::UseSubframeNavigationEntries() Tracks some
current feature work related to navigation, that's tied to --site-
per-process. Expected to be shortlived.
5. IsSwappedOutStateForbidden() (on RFHM/RFProxy) Another class of
temporary feature work.
6. content::AreAllSitesIsolatedForTesting() For bailing out of
tests.
BUG=481066
Review URL: https://codereview.chromium.org/1208143002
Cr-Commit-Position: refs/heads/master@{#340570}
Diffstat (limited to 'content/common/site_isolation_policy.h')
| -rw-r--r-- | content/common/site_isolation_policy.h | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/content/common/site_isolation_policy.h b/content/common/site_isolation_policy.h new file mode 100644 index 0000000..07061dc --- /dev/null +++ b/content/common/site_isolation_policy.h @@ -0,0 +1,64 @@ +// Copyright 2015 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef CONTENT_COMMON_SITE_ISOLATION_POLICY_H_ +#define CONTENT_COMMON_SITE_ISOLATION_POLICY_H_ + +#include "base/basictypes.h" +#include "content/common/content_export.h" +#include "url/gurl.h" + +namespace content { + +// A centralized place for making policy decisions about out-of-process iframes, +// site isolation, --site-per-process, and related features. +// +// This is currently static because all these modes are controlled by command- +// line flags. +// +// These methods can be called from any thread. +class CONTENT_EXPORT SiteIsolationPolicy { + public: + // Returns true if the current process model might allow the use of cross- + // process iframes. This should typically used to avoid executing codepaths + // that only matter for cross-process iframes, to protect the default + // behavior. + // + // Note: Since cross-process frames will soon be possible by default (e.g. for + // <iframe src="http://..."> in an extension process), usage should be limited + // to temporary stop-gaps. + // + // Instead of calling this method, prefer to examine object state to see + // whether a particular frame happens to have a cross-process relationship + // with another, or to consult DoesSiteRequireDedicatedProcess() to see if a + // particular site merits protection. + static bool AreCrossProcessFramesPossible(); + + // Returns true if pages loaded from |url|'s site ought to be handled only by + // a renderer process isolated from other sites. If --site-per-process is on + // the command line, this is true for all sites. + // + // Eventually, this function will be made to return true for only some schemes + // (e.g. extensions) or a whitelist of sites that we should protect for this + // user. + // + // Although |url| is currently ignored, callers can assume for now that they + // can pass a full URL here -- they needn't canonicalize it to a site. + static bool DoesSiteRequireDedicatedProcess(const GURL& url); + + // Returns true if navigation and history code should maintain per-frame + // navigation entries. This is an in-progress feature related to site + // isolation, so the return value is currently tied to --site-per-process. + // TODO(creis, avi): Make this the default, and eliminate this. + static bool UseSubframeNavigationEntries(); + + private: + SiteIsolationPolicy(); // Not instantiable. + + DISALLOW_COPY_AND_ASSIGN(SiteIsolationPolicy); +}; + +} // namespace content + +#endif // CONTENT_COMMON_SITE_ISOLATION_POLICY_H_ |