Origin isolation: implement basic header-based version

This is a first pass at implementing a header-based version of origin
isolation, alongside our existing origin policy-based one, per [1]. It
does not yet parse the header, instead simply using its presence or
absence. This CL includes browser tests only for now; web platform tests
will be done in a follow-up.

[1]: https://github.com/WICG/origin-isolation/commit/1c16647387b6be1bb170ed8ce24a5bd179abfa98

Bug: 1042415
Change-Id: Iaaa97a87e166aeedac2313f718322e5cdb7462e3
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2113152
Commit-Queue: Domenic Denicola <domenic@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Reviewed-by: James MacLean <wjmaclean@chromium.org>
Cr-Commit-Position: refs/heads/master@{#756370}

content/browser/child_process_security_policy_impl.cc

@@ -1891,12 +1891,12 @@ bool ChildProcessSecurityPolicyImpl::GetMatchingIsolatedOrigin(
 bool ChildProcessSecurityPolicyImpl::DoesOriginRequestOptInIsolation(
     const IsolationContext& isolation_context,
     const url::Origin& origin) {
-  // IsolationOptIn is only available when OriginPolicy is enabled.
+  if (!IsOptInOriginIsolationEnabled())
+    return false;
+
   // We only isolate HTTPS, so early-out if we see other schemes.
-  if (!base::FeatureList::IsEnabled(features::kOriginPolicy) ||
-      !origin.GetURL().SchemeIs(url::kHttpsScheme)) {
+  if (!origin.GetURL().SchemeIs(url::kHttpsScheme))
     return false;
-  }
 
   base::AutoLock origins_isolation_opt_in_lock(origins_isolation_opt_in_lock_);
   // See if the same origin exists in the BrowsingInstance already, and if so
@@ -1922,6 +1922,12 @@ bool ChildProcessSecurityPolicyImpl::DoesOriginRequestOptInIsolation(
   return origin_isolation_opt_ins_.contains(origin);
 }
 
+// static
+bool ChildProcessSecurityPolicyImpl::IsOptInOriginIsolationEnabled() {
+  return base::FeatureList::IsEnabled(features::kOriginPolicy) ||
+         base::FeatureList::IsEnabled(features::kOriginIsolationHeader);
+}
+
 void ChildProcessSecurityPolicyImpl::
     RemoveOptInIsolatedOriginsForBrowsingInstance(
         const IsolationContext& isolation_context) {

content/browser/child_process_security_policy_impl.h

@@ -255,6 +255,11 @@ class CONTENT_EXPORT ChildProcessSecurityPolicyImpl
       const IsolationContext& isolation_context,
       const url::Origin& origin);
 
+  // Returns true if web-exposed mechanisms for opting in to isolated origins
+  // are enabled (namely, either via origin policy or via the Origin-Isolation
+  // header).
+  static bool IsOptInOriginIsolationEnabled();
+
   // This function manages updates to the master list of origins requesting
   // isolation, e.g. via an OriginPolicy.
   void UpdateOriginIsolationOptInListIfNecessary(const url::Origin& origin,

content/browser/frame_host/navigation_request.cc

@@ -1692,30 +1692,35 @@ void NavigationRequest::OnRequestRedirected(
   WillRedirectRequest(common_params_->referrer->url, expected_process);
 }
 
-void NavigationRequest::CheckForOriginPolicyIsolationOptIn(
+void NavigationRequest::CheckForIsolationOptIn(
     const GURL& url,
     const network::mojom::URLResponseHead* response) {
-  // IsolationOptIn is only available when OriginPolicy is enabled.
-  if (!base::FeatureList::IsEnabled(features::kOriginPolicy))
+  if (!response)
     return;
 
-  bool requests_origin_isolation = false;
-  if (response && response->origin_policy) {
-    const network::OriginPolicy& origin_policy =
-        response->origin_policy.value();
-    // For now, we'll take the presence of any isolation_optin_hints value
-    // as an indication to opt-in.
-    requests_origin_isolation =
-        origin_policy.state == network::OriginPolicyState::kLoaded &&
-        origin_policy.contents->isolation_optin_hints.has_value();
-  }
+  // For now we only check for the presence of hints; we do not yet act on the
+  // specific hints.
+  const bool requests_via_origin_policy =
+      base::FeatureList::IsEnabled(features::kOriginPolicy) &&
+      response->origin_policy &&
+      response->origin_policy->state == network::OriginPolicyState::kLoaded &&
+      response->origin_policy->contents->isolation_optin_hints.has_value();
+
+  // TODO(https://crbug.com/1066930): For now we just check the presence of the
+  // header; we do not parse/validate it. When we do, that will have to be
+  // outside the browser process.
+  const bool requests_via_header =
+      base::FeatureList::IsEnabled(features::kOriginIsolationHeader) &&
+      response->headers && response->headers->HasHeader("origin-isolation");
+
+  const bool requests_origin_isolation =
+      requests_via_origin_policy || requests_via_header;
+
   auto* policy = ChildProcessSecurityPolicyImpl::GetInstance();
   url::Origin origin = url::Origin::Create(url);
   // We need to update the master list even if |requests_origin_isolation| is
-  // false, since we need to maintain the master opt-in list according to the
-  // most recently seen OriginPolicy.
-  // TODO(wjmaclean): when we start to support versioning for OriginPolicies,
-  // will we need to key the master list accordingly?
+  // false, since we need to maintain the opt-in list according to the most
+  // recently seen opt-in.
   policy->UpdateOriginIsolationOptInListIfNecessary(origin,
                                                     requests_origin_isolation);
 }
@@ -1902,10 +1907,10 @@ void NavigationRequest::OnResponseStarted(
     }
   }
 
-  // The navigation may have encountered an OriginPolicy that requests isolation
-  // for the url's origin. Before we pick the renderer, make sure we update the
-  // master list for origin-isolation opt-ins.
-  CheckForOriginPolicyIsolationOptIn(common_params().url, response());
+  // The navigation may have encountered an origin policy or Origin-Isolation
+  // header that requests isolation for the url's origin. Before we pick the
+  // renderer, make sure we update the origin-isolation opt-ins appropriately.
+  CheckForIsolationOptIn(common_params().url, response());
 
   // Select an appropriate renderer to commit the navigation.
   if (IsServedFromBackForwardCache()) {
@@ -2777,8 +2782,7 @@ void NavigationRequest::RenderProcessHostDestroyed(RenderProcessHost* host) {
 
 void NavigationRequest::RenderProcessExited(
     RenderProcessHost* host,
-    const ChildProcessTerminationInfo& info) {
-}
+    const ChildProcessTerminationInfo& info) {}
 
 void NavigationRequest::UpdateSiteURL(
     RenderProcessHost* post_redirect_process) {

content/browser/frame_host/navigation_request.h

@@ -580,12 +580,11 @@ class CONTENT_EXPORT NavigationRequest
           navigation_initiator,
       RenderFrameHostImpl* rfh_restored_from_back_forward_cache);
 
-  // Checks if the OriginPolicy in a NavigationRequest's response contains a
-  // request to isolate the url's origin, and if so registers it with the global
-  // origin isolation map.
-  void CheckForOriginPolicyIsolationOptIn(
-      const GURL& url,
-      const network::mojom::URLResponseHead* response);
+  // Checks if the response requests an isolated origin (using either origin
+  // policy or the Origin-Isolation header), and if so opts in the origin to be
+  // isolated.
+  void CheckForIsolationOptIn(const GURL& url,
+                              const network::mojom::URLResponseHead* response);
 
   // NavigationURLLoaderDelegate implementation.
   void OnRequestRedirected(