content/common/site_isolation_policy.h

   1 // Copyright 2015 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef CONTENT_COMMON_SITE_ISOLATION_POLICY_H_
   6 #define CONTENT_COMMON_SITE_ISOLATION_POLICY_H_
   7
   8 #include "base/basictypes.h"
   9 #include "content/common/content_export.h"
  10 #include "url/gurl.h"
  11
  12 namespace content {
  13
  14 // A centralized place for making policy decisions about out-of-process iframes,
  15 // site isolation, --site-per-process, and related features.
  16 //
  17 // This is currently static because all these modes are controlled by command-
  18 // line flags.
  19 //
  20 // These methods can be called from any thread.
  21 class CONTENT_EXPORT SiteIsolationPolicy {
  22  public:
  23   // Returns true if the current process model might allow the use of cross-
  24   // process iframes. This should typically used to avoid executing codepaths
  25   // that only matter for cross-process iframes, to protect the default
  26   // behavior.
  27   //
  28   // Note: Since cross-process frames will soon be possible by default (e.g. for
  29   // <iframe src="http://..."> in an extension process), usage should be limited
  30   // to temporary stop-gaps.
  31   //
  32   // Instead of calling this method, prefer to examine object state to see
  33   // whether a particular frame happens to have a cross-process relationship
  34   // with another, or to consult DoesSiteRequireDedicatedProcess() to see if a
  35   // particular site merits protection.
  36   static bool AreCrossProcessFramesPossible();
  37
  38   // Returns true if pages loaded from |url|'s site ought to be handled only by
  39   // a renderer process isolated from other sites. If --site-per-process is on
  40   // the command line, this is true for all sites.
  41   //
  42   // Eventually, this function will be made to return true for only some schemes
  43   // (e.g. extensions) or a whitelist of sites that we should protect for this
  44   // user.
  45   //
  46   // Although |url| is currently ignored, callers can assume for now that they
  47   // can pass a full URL here -- they needn't canonicalize it to a site.
  48   static bool DoesSiteRequireDedicatedProcess(const GURL& url);
  49
  50   // Returns true if navigation and history code should maintain per-frame
  51   // navigation entries. This is an in-progress feature related to site
  52   // isolation, so the return value is currently tied to --site-per-process.
  53   // TODO(creis, avi): Make this the default, and eliminate this.
  54   static bool UseSubframeNavigationEntries();
  55
  56   // Returns true if we are currently in a mode where the swapped out state
  57   // should not be used. Currently (as an implementation strategy) swapped out
  58   // is forbidden under --site-per-process, but our goal is to eliminate the
  59   // mode entirely. In code that deals with the swapped out state, prefer calls
  60   // to this function over consulting the switches directly. It will be easier
  61   // to grep, and easier to rip out.
  62   //
  63   // TODO(nasko): When swappedout:// is eliminated entirely, this function
  64   // should be removed and its callers cleaned up.
  65   static bool IsSwappedOutStateForbidden();
  66
  67  private:
  68   SiteIsolationPolicy();  // Not instantiable.
  69
  70   DISALLOW_COPY_AND_ASSIGN(SiteIsolationPolicy);
  71 };
  72
  73 }  // namespace content
  74
  75 #endif  // CONTENT_COMMON_SITE_ISOLATION_POLICY_H_