Allow hosted apps contained within an isolated origin to go into an App process.
Previously, isolated origins always took precedence over hosted apps,
so that if an app URL matched an isolated origin, it would not be
allowed to load in an app process, because the site URL would not
resolve to the app's effective URL.
This CL relaxes this restriction to allow hosted apps that are
narrower than an isolated origin to still work. That is, when trying
to load an app URL which matches an isolated origin, we check if all
URLs in an app's extent match that particular isolated origin, and if
so, allow the app URL to load in an app process. This still prevents
an isolated origin from sharing the app process with untrusted origins
when the app's extent is too broad (e.g., accounts.google.com
would still be kept out of processes for apps that cover google.com),
while allowing common cases like GMail Offline, Calendar, or Drive to
work even when using --isolate-origins=https://google.com.
Bug: 799638
Change-Id: I6b1cbf8a0618b462edbefe6882efa8c8861d24bd
Reviewed-on: https://chromium-review.googlesource.com/862693
Commit-Queue: Alex Moshchuk <[email protected]>
Reviewed-by: Charlie Reis <[email protected]>
Reviewed-by: Devlin <[email protected]>
Cr-Commit-Position: refs/heads/master@{#529535}diff --git a/content/browser/site_instance_impl.cc b/content/browser/site_instance_impl.cc
index 5abcf9a..d961143 100644
--- a/content/browser/site_instance_impl.cc
+++ b/content/browser/site_instance_impl.cc
@@ -438,10 +438,7 @@
// static
GURL SiteInstanceImpl::GetEffectiveURL(BrowserContext* browser_context,
const GURL& url) {
- auto* policy = ChildProcessSecurityPolicyImpl::GetInstance();
- bool is_isolated_origin = policy->IsIsolatedOrigin(url::Origin::Create(url));
- return GetContentClient()->browser()->GetEffectiveURL(browser_context, url,
- is_isolated_origin);
+ return GetContentClient()->browser()->GetEffectiveURL(browser_context, url);
}
// static
