Fix strict origin isolation for non-HTTP/HTTPS effective site URLs.
Previously, with strict origin isolation, we computed the site URL as
the URL's full origin whenever the URL's origin had a host (and was
not a file URL). This also incorrectly triggered for effective URLs,
such as chrome-extension://hosted_app_id/, where returning the origin
right away skipped some essential logic below that appended the
non-translated site URL to the site URL's hash. That led to not being
able to swap processes on cross-site transitions within hosted apps.
Fix this by restricting strict origin isolation to only affect
HTTP/HTTPS URLs.
Bug: 961386
Change-Id: I224cfe4df23ec55a0429c626fd6f439da1ef3041
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1603745
Reviewed-by: Charlie Reis <[email protected]>
Commit-Queue: Alex Moshchuk <[email protected]>
Cr-Commit-Position: refs/heads/master@{#658368}
diff --git a/content/browser/site_instance_impl.cc b/content/browser/site_instance_impl.cc
index e5d990b5..a432090 100644
--- a/content/browser/site_instance_impl.cc
+++ b/content/browser/site_instance_impl.cc
@@ -618,7 +618,13 @@
// (which ignores the hostname in this case - see https://crbug.com/776160).
GURL site_url;
if (!origin.host().empty() && origin.scheme() != url::kFileScheme) {
- if (SiteIsolationPolicy::IsStrictOriginIsolationEnabled())
+ // For Strict Origin Isolation, use the full origin instead of site for all
+ // HTTP/HTTPS URLs. Note that the HTTP/HTTPS restriction guarantees that
+ // we won't hit this for hosted app effective URLs, which would otherwise
+ // need to append a non-translated site URL to the hash below (see
+ // https://crbug.com/961386).
+ if (SiteIsolationPolicy::IsStrictOriginIsolationEnabled() &&
+ origin.GetURL().SchemeIsHTTPOrHTTPS())
return origin.GetURL();
site_url = GetSiteForOrigin(origin);
