1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
// Copyright 2015 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef CONTENT_COMMON_SITE_ISOLATION_POLICY_H_
#define CONTENT_COMMON_SITE_ISOLATION_POLICY_H_
#include "base/basictypes.h"
#include "content/common/content_export.h"
#include "url/gurl.h"
namespace content {
// A centralized place for making policy decisions about out-of-process iframes,
// site isolation, --site-per-process, and related features.
//
// This is currently static because all these modes are controlled by command-
// line flags.
//
// These methods can be called from any thread.
class CONTENT_EXPORT SiteIsolationPolicy {
public:
// Returns true if the current process model might allow the use of cross-
// process iframes. This should typically used to avoid executing codepaths
// that only matter for cross-process iframes, to protect the default
// behavior.
//
// Note: Since cross-process frames will soon be possible by default (e.g. for
// <iframe src="http://..."> in an extension process), usage should be limited
// to temporary stop-gaps.
//
// Instead of calling this method, prefer to examine object state to see
// whether a particular frame happens to have a cross-process relationship
// with another, or to consult DoesSiteRequireDedicatedProcess() to see if a
// particular site merits protection.
static bool AreCrossProcessFramesPossible();
// Returns true if pages loaded from |url|'s site ought to be handled only by
// a renderer process isolated from other sites. If --site-per-process is on
// the command line, this is true for all sites.
//
// Eventually, this function will be made to return true for only some schemes
// (e.g. extensions) or a whitelist of sites that we should protect for this
// user.
//
// Although |url| is currently ignored, callers can assume for now that they
// can pass a full URL here -- they needn't canonicalize it to a site.
static bool DoesSiteRequireDedicatedProcess(const GURL& url);
// Returns true if navigation and history code should maintain per-frame
// navigation entries. This is an in-progress feature related to site
// isolation, so the return value is currently tied to --site-per-process.
// TODO(creis, avi): Make this the default, and eliminate this.
static bool UseSubframeNavigationEntries();
// Returns true if we are currently in a mode where the swapped out state
// should not be used. Currently (as an implementation strategy) swapped out
// is forbidden under --site-per-process, but our goal is to eliminate the
// mode entirely. In code that deals with the swapped out state, prefer calls
// to this function over consulting the switches directly. It will be easier
// to grep, and easier to rip out.
//
// TODO(nasko): When swappedout:// is eliminated entirely, this function
// should be removed and its callers cleaned up.
static bool IsSwappedOutStateForbidden();
private:
SiteIsolationPolicy(); // Not instantiable.
DISALLOW_COPY_AND_ASSIGN(SiteIsolationPolicy);
};
} // namespace content
#endif // CONTENT_COMMON_SITE_ISOLATION_POLICY_H_
|
