Exclude file: URLs from default SiteInstance.
This ensures that the default SiteInstance's process doesn't
accumulate file:// URL access grants over time, where any
other non-isolated site might abuse them.
- Refactor default SiteInstance logic so new conditions only need to be
added in one place.
- Added a new condition that excludes file: URLs from being allowed in
the default SiteInstance.
Bug: 958060
Change-Id: Id97785790c14bb0d5469089f4ce6cd2786665b04
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1699242
Reviewed-by: Aaron Colwell <[email protected]>
Reviewed-by: Charlie Reis <[email protected]>
Commit-Queue: Aaron Colwell <[email protected]>
Cr-Commit-Position: refs/heads/master@{#678878}
diff --git a/content/browser/site_instance_impl.cc b/content/browser/site_instance_impl.cc
index c6bc3bf..e1868a4 100644
--- a/content/browser/site_instance_impl.cc
+++ b/content/browser/site_instance_impl.cc
@@ -768,16 +768,52 @@
}
if (allow_default_site_url &&
- !base::FeatureList::IsEnabled(
- features::kProcessSharingWithStrictSiteInstances) &&
- SiteInstanceImpl::ShouldAssignSiteForURL(url) &&
- !DoesSiteURLRequireDedicatedProcess(isolation_context, site_url)) {
+ CanBePlacedInDefaultSiteInstance(isolation_context, url, site_url)) {
return GetDefaultSiteURL();
}
return site_url;
}
// static
+bool SiteInstanceImpl::CanBePlacedInDefaultSiteInstance(
+ const IsolationContext& isolation_context,
+ const GURL& url,
+ const GURL& site_url) {
+ // Exclude "chrome-guest:" URLs from the default SiteInstance to ensure that
+ // guest specific process selection, process swapping, and storage partition
+ // behavior is preserved.
+ if (url.SchemeIs(kGuestScheme))
+ return false;
+
+ // Exclude "file://" URLs from the default SiteInstance to prevent the
+ // default SiteInstance process from accumulating file access grants that
+ // could be exploited by other non-isolated sites.
+ if (url.SchemeIs(url::kFileScheme))
+ return false;
+
+ // Don't use the default SiteInstance when
+ // kProcessSharingWithStrictSiteInstances is enabled because we want each
+ // site to have its own SiteInstance object and logic elsewhere ensures
+ // that those SiteInstances share a process.
+ if (base::FeatureList::IsEnabled(
+ features::kProcessSharingWithStrictSiteInstances)) {
+ return false;
+ }
+
+ // Don't use the default SiteInstance when SiteInstance doesn't assign a
+ // site URL for |url|, since in that case the SiteInstance should remain
+ // unused, and a subsequent navigation should always be able to reuse it,
+ // whether or not it's to a site requiring a dedicated process or to a site
+ // that will use the default SiteInstance.
+ if (!ShouldAssignSiteForURL(url))
+ return false;
+
+ // Allow the default SiteInstance to be used for sites that don't need to be
+ // isolated in their own process.
+ return !DoesSiteURLRequireDedicatedProcess(isolation_context, site_url);
+}
+
+// static
GURL SiteInstanceImpl::GetSiteForOrigin(const url::Origin& origin) {
// Only keep the scheme and registered domain of |origin|.
std::string domain = net::registry_controlled_domains::GetDomainAndRegistry(
