content/browser/process_lock.h - chromium/src - Git at Google

 // Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef CONTENT_BROWSER_PROCESS_LOCK_H_
 #define CONTENT_BROWSER_PROCESS_LOCK_H_

 #include <optional>

 #include "content/browser/site_info.h"
 #include "content/browser/url_info.h"
 #include "content/browser/web_exposed_isolation_info.h"
 #include "content/public/browser/storage_partition_config.h"
 #include "content/public/browser/web_exposed_isolation_level.h"
 #include "url/origin.h"

 namespace content {

 class IsolationContext;

 // ProcessLock is a core part of Site Isolation, which is used to determine
 // which documents are allowed to load in a process and which site data the
 // process is allowed to access, based on the SiteInfo principal.
 //
 // If a process has a ProcessLock in the "invalid" state, then no SiteInstances
 // have been associated with the process and access should not be granted to
 // anything.
 //
 // Once a process is associated with its first SiteInstance, it transitions to
 // the "locked_to_site" or "allow_any_site" state depending on whether the
 // SiteInstance requires the process to be locked to a specific site or not.
 // If the SiteInstance does not require the process to be locked to a site, the
 // process will transition to the "allow_any_site" state and will allow any
 // site to commit in the process. Such a process can later be upgraded to the
 // "locked_to_site" state if something later determines that the process should
 // only allow access to a single site, but only if it hasn't otherwise been used
 // to render content. Once the process is in the "locked_to_site" state, it will
 // not be able to access site data from other sites.
 //
 // ProcessLock is currently defined in terms of a single SiteInfo with a process
 // lock URL, but it could be possible to define it in terms of multiple
 // SiteInfos that are compatible with each other.
 class CONTENT_EXPORT ProcessLock {
  public:
   // Create a lock that that represents a process that is associated with at
   // least one SiteInstance, but is not locked to a specific site. Any request
   // that wants to commit in this process must have a StoragePartitionConfig
   // and web-exposed isolation information (COOP/COEP, for example) that
   // match the values used to create this lock.
   static ProcessLock CreateAllowAnySite(
       const StoragePartitionConfig& storage_partition_config,
       const WebExposedIsolationInfo& web_exposed_isolation_info);

   // Create a lock for a specific UrlInfo. This method can be called from both
   // the UI and IO threads. Locks created with the same parameters must always
   // be considered equal independent of what thread they are called on. Special
   // care must be taken since SiteInfos created on different threads don't
   // always have the same contents for all their fields (e.g. site_url field is
   // thread dependent).
   static ProcessLock Create(const IsolationContext& isolation_context,
                             const UrlInfo& url_info);

   // Returns a ProcessLock representing what the given |site_info| requires.
   // Note that this may be different from the actual ProcessLock of the
   // resulting process, in cases where a locked process is not required (e.g.,
   // SiteInfos for http://unisolated.invalid).
   static ProcessLock FromSiteInfo(const SiteInfo& site_info);

   ProcessLock();
   ProcessLock(const ProcessLock& rhs);
   ProcessLock& operator=(const ProcessLock& rhs);

   ~ProcessLock();

   // Returns true if no information has been set on the lock.
   bool is_invalid() const { return !site_info_.has_value(); }

   // Returns true if the process is locked, but it is not restricted to a
   // specific site. Any site is allowed to commit in the process as long as
   // the request's COOP/COEP information matches the info provided when
   // the lock was created.
   bool allows_any_site() const {
     return site_info_.has_value() && site_info_->process_lock_url().is_empty();
   }

   // Returns true if the lock is restricted to a specific site and requires
   // the request's COOP/COEP information to match the values provided when
   // the lock was created.
   bool is_locked_to_site() const {
     return site_info_.has_value() && !site_info_->process_lock_url().is_empty();
   }

   // Returns the url that corresponds to the SiteInfo the lock is used with. It
   // will always be the same as the site URL, except in cases where effective
   // urls are in use. Always empty if the SiteInfo uses the default site url.
   // TODO(wjmaclean): Delete this accessor once we get to the point where we can
   // safely just compare ProcessLocks directly.
   const GURL lock_url() const {
     return site_info_.has_value() ? site_info_->process_lock_url() : GURL();
   }

   // Returns the site URL of the SiteInfo with which the lock was constructed.
   // Prefer comparing ProcessLocks directly or using lock_url(), unless you
   // care about effective URLs.
   const GURL site_url() const {
     return site_info_.has_value() ? site_info_->site_url() : GURL();
   }

   // Returns the AgentClusterKey shared by agents allowed in this ProcessLock.
   std::optional<AgentClusterKey> agent_cluster_key() const {
     return site_info_.has_value() ? site_info_->agent_cluster_key()
                                   : std::nullopt;
   }

   // Returns whether this ProcessLock is specific to an origin rather than
   // including subdomains, such as due to opt-in origin isolation. This resolves
   // an ambiguity of whether a process with a lock_url() like
   // "https://foo.example" is allowed to include "https://sub.foo.example" or
   // not.
   bool is_origin_keyed_process() const {
     return site_info_.has_value() &&
            site_info_->requires_origin_keyed_process();
   }

   // True if this ProcessLock is for a sandboxed iframe without
   // allow-same-origin.
   // TODO(wjmaclean): This function's return type could mutate to an enum in
   // future if required for sandboxed iframes that are restricted with different
   // sandbox flags.
   bool is_sandboxed() const {
     return site_info_.has_value() && site_info_->is_sandboxed();
   }

   // If this ProcessLock is for a sandboxed iframe without allow-same-origin,
   // and per-document grouping has been enabled for kIsolateSandboxedIframes,
   // then each SiteInfo will have a unique sandbox id encoded as part of the
   // lock. If per-document grouping is not enabled, this returns
   // UrlInfo::kInvalidUniqueSandboxId.
   int unique_sandbox_id() const {
     return (site_info_.has_value() ? site_info_->unique_sandbox_id()
                                    : UrlInfo::kInvalidUniqueSandboxId);
   }

   // Returns whether this ProcessLock is specific to PDF contents.
   bool is_pdf() const { return site_info_.has_value() && site_info_->is_pdf(); }

   // Returns whether this ProcessLock can only be used for error pages.
   bool is_error_page() const {
     return site_info_.has_value() && site_info_->is_error_page();
   }

   // Returns whether this ProcessLock is used for a <webview> guest process.
   // This may be false for other types of GuestView.
   bool is_guest() const {
     return site_info_.has_value() && site_info_->is_guest();
   }

   // Returns whether this ProcessLock is used for a process that exclusively
   // hosts content inside a <fencedframe>.
   bool is_fenced() const {
     return site_info_.has_value() && site_info_->is_fenced();
   }

   // Returns the StoragePartitionConfig that corresponds to the SiteInfo the
   // lock is used with.
   StoragePartitionConfig GetStoragePartitionConfig() const;

   // Returns the cross-origin isolation mode of the BrowsingInstance that all
   // agents allowed in this ProcessLock belong to. See
   // https://html.spec.whatwg.org/multipage/document-sequences.html#cross-origin-isolation-mode
   // This is tracked on ProcessLock because a RenderProcessHost can host only
   // cross-origin isolated agents or only non-cross-origin isolated agents, not
   // both.
   WebExposedIsolationInfo GetWebExposedIsolationInfo() const;

   // Returns the cross-origin isolated capability of all agents allowed in this
   // ProcessLock, without taking into account the 'cross-origin-isolated'
   // permissions policy. This ignores permissions policy because it's currently
   // possible for agents with the same ProcessLock to have different
   // 'cross-origin-isolated' permission policies. This can return a lower
   // isolation level than `GetWebExposedIsolationInfo()` if this ProcessLock
   // hosts agents that are cross-origin to a top-level document with the
   // 'isolated application' isolation level. See
   // https://html.spec.whatwg.org/multipage/webappapis.html#dom-crossoriginisolated
   WebExposedIsolationLevel GetWebExposedIsolationLevel() const;

   // Returns whether lock_url() is at least at the granularity of a site (i.e.,
   // a scheme plus eTLD+1, like https://google.com).  Also returns true if the
   // lock is to a more specific origin (e.g., https://accounts.google.com), but
   // not if the lock is empty or applies to an entire scheme (e.g., file://).
   bool IsASiteOrOrigin() const;

   bool matches_scheme(const std::string& scheme) const {
     return scheme == lock_url().scheme();
   }

   // Returns true if lock_url() has an opaque origin.
   bool HasOpaqueOrigin() const;

   // Returns true if |origin| matches the lock's origin.
   bool MatchesOrigin(const url::Origin& origin) const;

   // Returns true if the COOP/COEP origin isolation information in this lock
   // is set and matches the information in |site_info|.
   // Returns true if the web-exposed isolation level in this lock is set and
   // matches (or exceeds) the level set in |site_info|.|.
   bool IsCompatibleWithWebExposedIsolation(const SiteInfo& site_info) const;

   bool operator==(const ProcessLock& rhs) const;
   bool operator!=(const ProcessLock& rhs) const;
   // Defined to allow this object to act as a key for std::map.
   bool operator<(const ProcessLock& rhs) const;

   std::string ToString() const;

  private:
   explicit ProcessLock(const SiteInfo& site_info);

   // TODO(creis): Consider tracking multiple compatible SiteInfos in ProcessLock
   // (e.g., multiple sites when Site Isolation is disabled). This can better
   // restrict what the process has access to in cases that we currently use an
   // allows-any-site ProcessLock.
   std::optional<SiteInfo> site_info_;
 };

 CONTENT_EXPORT std::ostream& operator<<(std::ostream& out,
                                         const ProcessLock& process_lock);

 }  // namespace content

 #endif  // CONTENT_BROWSER_PROCESS_LOCK_H_
	// Copyright 2021 The Chromium Authors
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef CONTENT_BROWSER_PROCESS_LOCK_H_
	#define CONTENT_BROWSER_PROCESS_LOCK_H_

	#include <optional>

	#include "content/browser/site_info.h"
	#include "content/browser/url_info.h"
	#include "content/browser/web_exposed_isolation_info.h"
	#include "content/public/browser/storage_partition_config.h"
	#include "content/public/browser/web_exposed_isolation_level.h"
	#include "url/origin.h"

	namespace content {

	class IsolationContext;

	// ProcessLock is a core part of Site Isolation, which is used to determine
	// which documents are allowed to load in a process and which site data the
	// process is allowed to access, based on the SiteInfo principal.
	//
	// If a process has a ProcessLock in the "invalid" state, then no SiteInstances
	// have been associated with the process and access should not be granted to
	// anything.
	//
	// Once a process is associated with its first SiteInstance, it transitions to
	// the "locked_to_site" or "allow_any_site" state depending on whether the
	// SiteInstance requires the process to be locked to a specific site or not.
	// If the SiteInstance does not require the process to be locked to a site, the
	// process will transition to the "allow_any_site" state and will allow any
	// site to commit in the process. Such a process can later be upgraded to the
	// "locked_to_site" state if something later determines that the process should
	// only allow access to a single site, but only if it hasn't otherwise been used
	// to render content. Once the process is in the "locked_to_site" state, it will
	// not be able to access site data from other sites.
	//
	// ProcessLock is currently defined in terms of a single SiteInfo with a process
	// lock URL, but it could be possible to define it in terms of multiple
	// SiteInfos that are compatible with each other.
	class CONTENT_EXPORT ProcessLock {
	public:
	// Create a lock that that represents a process that is associated with at
	// least one SiteInstance, but is not locked to a specific site. Any request
	// that wants to commit in this process must have a StoragePartitionConfig
	// and web-exposed isolation information (COOP/COEP, for example) that
	// match the values used to create this lock.
	static ProcessLock CreateAllowAnySite(
	const StoragePartitionConfig& storage_partition_config,
	const WebExposedIsolationInfo& web_exposed_isolation_info);

	// Create a lock for a specific UrlInfo. This method can be called from both
	// the UI and IO threads. Locks created with the same parameters must always
	// be considered equal independent of what thread they are called on. Special
	// care must be taken since SiteInfos created on different threads don't
	// always have the same contents for all their fields (e.g. site_url field is
	// thread dependent).
	static ProcessLock Create(const IsolationContext& isolation_context,
	const UrlInfo& url_info);

	// Returns a ProcessLock representing what the given \|site_info\| requires.
	// Note that this may be different from the actual ProcessLock of the
	// resulting process, in cases where a locked process is not required (e.g.,
	// SiteInfos for http://unisolated.invalid).
	static ProcessLock FromSiteInfo(const SiteInfo& site_info);

	ProcessLock();
	ProcessLock(const ProcessLock& rhs);
	ProcessLock& operator=(const ProcessLock& rhs);

	~ProcessLock();

	// Returns true if no information has been set on the lock.
	bool is_invalid() const { return !site_info_.has_value(); }

	// Returns true if the process is locked, but it is not restricted to a
	// specific site. Any site is allowed to commit in the process as long as
	// the request's COOP/COEP information matches the info provided when
	// the lock was created.
	bool allows_any_site() const {
	return site_info_.has_value() && site_info_->process_lock_url().is_empty();
	}

	// Returns true if the lock is restricted to a specific site and requires
	// the request's COOP/COEP information to match the values provided when
	// the lock was created.
	bool is_locked_to_site() const {
	return site_info_.has_value() && !site_info_->process_lock_url().is_empty();
	}

	// Returns the url that corresponds to the SiteInfo the lock is used with. It
	// will always be the same as the site URL, except in cases where effective
	// urls are in use. Always empty if the SiteInfo uses the default site url.
	// TODO(wjmaclean): Delete this accessor once we get to the point where we can
	// safely just compare ProcessLocks directly.
	const GURL lock_url() const {
	return site_info_.has_value() ? site_info_->process_lock_url() : GURL();
	}

	// Returns the site URL of the SiteInfo with which the lock was constructed.
	// Prefer comparing ProcessLocks directly or using lock_url(), unless you
	// care about effective URLs.
	const GURL site_url() const {
	return site_info_.has_value() ? site_info_->site_url() : GURL();
	}

	// Returns the AgentClusterKey shared by agents allowed in this ProcessLock.
	std::optional<AgentClusterKey> agent_cluster_key() const {
	return site_info_.has_value() ? site_info_->agent_cluster_key()
	: std::nullopt;
	}

	// Returns whether this ProcessLock is specific to an origin rather than
	// including subdomains, such as due to opt-in origin isolation. This resolves
	// an ambiguity of whether a process with a lock_url() like
	// "https://foo.example" is allowed to include "https://sub.foo.example" or
	// not.
	bool is_origin_keyed_process() const {
	return site_info_.has_value() &&
	site_info_->requires_origin_keyed_process();
	}

	// True if this ProcessLock is for a sandboxed iframe without
	// allow-same-origin.
	// TODO(wjmaclean): This function's return type could mutate to an enum in
	// future if required for sandboxed iframes that are restricted with different
	// sandbox flags.
	bool is_sandboxed() const {
	return site_info_.has_value() && site_info_->is_sandboxed();
	}

	// If this ProcessLock is for a sandboxed iframe without allow-same-origin,
	// and per-document grouping has been enabled for kIsolateSandboxedIframes,
	// then each SiteInfo will have a unique sandbox id encoded as part of the
	// lock. If per-document grouping is not enabled, this returns
	// UrlInfo::kInvalidUniqueSandboxId.
	int unique_sandbox_id() const {
	return (site_info_.has_value() ? site_info_->unique_sandbox_id()
	: UrlInfo::kInvalidUniqueSandboxId);
	}

	// Returns whether this ProcessLock is specific to PDF contents.
	bool is_pdf() const { return site_info_.has_value() && site_info_->is_pdf(); }

	// Returns whether this ProcessLock can only be used for error pages.
	bool is_error_page() const {
	return site_info_.has_value() && site_info_->is_error_page();
	}

	// Returns whether this ProcessLock is used for a <webview> guest process.
	// This may be false for other types of GuestView.
	bool is_guest() const {
	return site_info_.has_value() && site_info_->is_guest();
	}

	// Returns whether this ProcessLock is used for a process that exclusively
	// hosts content inside a <fencedframe>.
	bool is_fenced() const {
	return site_info_.has_value() && site_info_->is_fenced();
	}

	// Returns the StoragePartitionConfig that corresponds to the SiteInfo the
	// lock is used with.
	StoragePartitionConfig GetStoragePartitionConfig() const;

	// Returns the cross-origin isolation mode of the BrowsingInstance that all
	// agents allowed in this ProcessLock belong to. See
	// https://html.spec.whatwg.org/multipage/document-sequences.html#cross-origin-isolation-mode
	// This is tracked on ProcessLock because a RenderProcessHost can host only
	// cross-origin isolated agents or only non-cross-origin isolated agents, not
	// both.
	WebExposedIsolationInfo GetWebExposedIsolationInfo() const;

	// Returns the cross-origin isolated capability of all agents allowed in this
	// ProcessLock, without taking into account the 'cross-origin-isolated'
	// permissions policy. This ignores permissions policy because it's currently
	// possible for agents with the same ProcessLock to have different
	// 'cross-origin-isolated' permission policies. This can return a lower
	// isolation level than `GetWebExposedIsolationInfo()` if this ProcessLock
	// hosts agents that are cross-origin to a top-level document with the
	// 'isolated application' isolation level. See
	// https://html.spec.whatwg.org/multipage/webappapis.html#dom-crossoriginisolated
	WebExposedIsolationLevel GetWebExposedIsolationLevel() const;

	// Returns whether lock_url() is at least at the granularity of a site (i.e.,
	// a scheme plus eTLD+1, like https://google.com). Also returns true if the
	// lock is to a more specific origin (e.g., https://accounts.google.com), but
	// not if the lock is empty or applies to an entire scheme (e.g., file://).
	bool IsASiteOrOrigin() const;

	bool matches_scheme(const std::string& scheme) const {
	return scheme == lock_url().scheme();
	}

	// Returns true if lock_url() has an opaque origin.
	bool HasOpaqueOrigin() const;

	// Returns true if \|origin\| matches the lock's origin.
	bool MatchesOrigin(const url::Origin& origin) const;

	// Returns true if the COOP/COEP origin isolation information in this lock
	// is set and matches the information in \|site_info\|.
	// Returns true if the web-exposed isolation level in this lock is set and
	// matches (or exceeds) the level set in \|site_info\|.\|.
	bool IsCompatibleWithWebExposedIsolation(const SiteInfo& site_info) const;

	bool operator==(const ProcessLock& rhs) const;
	bool operator!=(const ProcessLock& rhs) const;
	// Defined to allow this object to act as a key for std::map.
	bool operator<(const ProcessLock& rhs) const;

	std::string ToString() const;

	private:
	explicit ProcessLock(const SiteInfo& site_info);

	// TODO(creis): Consider tracking multiple compatible SiteInfos in ProcessLock
	// (e.g., multiple sites when Site Isolation is disabled). This can better
	// restrict what the process has access to in cases that we currently use an
	// allows-any-site ProcessLock.
	std::optional<SiteInfo> site_info_;
	};

	CONTENT_EXPORT std::ostream& operator<<(std::ostream& out,
	const ProcessLock& process_lock);

	} // namespace content

	#endif // CONTENT_BROWSER_PROCESS_LOCK_H_