[Security] Introduce the concept of cross-origin isolated.

A cross origin isolated page is a page that has set COOP and COEP, eventually unlocking access to powerful APIs such as SharedArrayBuffer. This first patch goal is to introduce cross origin isolated BrowsingInstances that only contain cross origin isolated pages. It modifies the SiteInstance selection process to make sure the invariant holds. In more details: - BrowsingInstances now have a is_coop_coep_cross_origin_isolated boolean, that indicates if all the pages contained into it have been COOP+COEP enabled. Each BrowsingInstance also holds the origin of the top level pages contained in it, unique across all the top level pages in it. - CHECKS and DCHECKS enforce the BrowsingInstance invariant. See the full design doc https://docs.google.com/document/d/1OFaz1Txi4ynFLmRqNTLFF3qd6jm4kK4GkJdmgr5_aZA/edit?usp=sharing for more information. It was based on clamy@ work here: https://chromium-review.googlesource.com/c/chromium/src/+/2066844 and further discussed here: https://chromium-review.googlesource.com/c/chromium/src/+/2119854 BUG=1055779 Change-Id: I4829337f5fd4a4c2cd18f2cfaaf7ef8054eb67a8 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2230632Reviewed-by: Camille Lamy <clamy@chromium.org> Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Commit-Queue: Arthur Hemery <ahemery@chromium.org> Cr-Commit-Position: refs/heads/master@{#800556}

[Security] Introduce the concept of cross-origin isolated.
A cross origin isolated page is a page that has set COOP and COEP, eventually unlocking access to powerful APIs such as SharedArrayBuffer. This first patch goal is to introduce cross origin isolated BrowsingInstances that only contain cross origin isolated pages. It modifies the SiteInstance selection process to make sure the invariant holds. In more details: - BrowsingInstances now have a is_coop_coep_cross_origin_isolated boolean, that indicates if all the pages contained into it have been COOP+COEP enabled. Each BrowsingInstance also holds the origin of the top level pages contained in it, unique across all the top level pages in it. - CHECKS and DCHECKS enforce the BrowsingInstance invariant. See the full design doc https://docs.google.com/document/d/1OFaz1Txi4ynFLmRqNTLFF3qd6jm4kK4GkJdmgr5_aZA/edit?usp=sharing for more information. It was based on clamy@ work here: https://chromium-review.googlesource.com/c/chromium/src/+/2066844 and further discussed here: https://chromium-review.googlesource.com/c/chromium/src/+/2119854 BUG=1055779 Change-Id: I4829337f5fd4a4c2cd18f2cfaaf7ef8054eb67a8 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2230632Reviewed-by: Camille Lamy <clamy@chromium.org> Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Commit-Queue: Arthur Hemery <ahemery@chromium.org> Cr-Commit-Position: refs/heads/master@{#800556}
2e1d149b · Arthur Hemery · Commit Bot · 28e2ea0a · 2e1d149b · 2e1d149b
Commit 2e1d149b authored Aug 21, 2020 by Arthur Hemery Committed by Commit Bot Aug 21, 2020
9 changed files
--- a/content/browser/browsing_instance.cc
+++ b/content/browser/browsing_instance.cc
@@ -22,13 +22,21 @@ namespace content {
 // invalid BrowsingInstanceId value, which is 0 in its underlying IdType32.
 int BrowsingInstance::next_browsing_instance_id_ = 1;
-BrowsingInstance::BrowsingInstance(BrowserContext* browser_context)
+BrowsingInstance::BrowsingInstance(
+    BrowserContext* browser_context,
+    bool is_coop_coep_cross_origin_isolated,
+    const base::Optional<url::Origin>& coop_coep_cross_origin_isolated_origin)
    : isolation_context_(
          BrowsingInstanceId::FromUnsafeValue(next_browsing_instance_id_++),
          BrowserOrResourceContext(browser_context)),
      active_contents_count_(0u),
      default_process_(nullptr),
-      default_site_instance_(nullptr) {
+      default_site_instance_(nullptr),
+      is_coop_coep_cross_origin_isolated_(is_coop_coep_cross_origin_isolated),
+      coop_coep_cross_origin_isolated_origin_(
+          coop_coep_cross_origin_isolated_origin) {
+  DCHECK(!is_coop_coep_cross_origin_isolated_ ||
+         coop_coep_cross_origin_isolated_origin_.has_value());
  DCHECK(browser_context);
 }

--- a/content/browser/browsing_instance.h
+++ b/content/browser/browsing_instance.h
@@ -18,6 +18,7 @@
 #include "content/common/content_export.h"
 #include "content/public/browser/browser_context.h"
 #include "content/public/browser/render_process_host_observer.h"
+#include "url/origin.h"
 class GURL;
@@ -82,7 +83,16 @@ class CONTENT_EXPORT BrowsingInstance final
  static BrowsingInstanceId NextBrowsingInstanceId();
  // Create a new BrowsingInstance.
-  explicit BrowsingInstance(BrowserContext* context);
+  // |is_coop_coep_cross_origin_isolated| indicates whether the BrowsingInstance
+  // should contain only cross-origin isolated pages, i.e. pages with
+  // cross-origin-opener-policy set to same-origin and
+  // cross-origin-embedder-policy set to require-corp.
+  // |cross_origin_isolated_origin| the origin shared by all the top level pages
+  // if the BrowsingInstance is cross-origin isolated.
+  explicit BrowsingInstance(
+      BrowserContext* context,
+      bool is_coop_coep_cross_origin_isolated,
+      const base::Optional<url::Origin>& cross_origin_isolated_origin);
  ~BrowsingInstance() final;
@@ -187,6 +197,24 @@ class CONTENT_EXPORT BrowsingInstance final
  // why SiteInfo is the right class to key this on.
  typedef std::map<SiteInfo, SiteInstanceImpl*> SiteInstanceMap;
+  // Returns true if the BrowsingInstance was created to contain only
+  // cross-origin isolated pages, i.e. pages with cross-origin-opener-policy set
+  // to same-origin and cross-origin-embedder-policy set to require-corp.
+  // The same-origin COOP also implies that all pages in the BrowsingInstance
+  // have the same top-level origin.
+  // See
+  // https://html.spec.whatwg.org/multipage/webappapis.html#dom-crossoriginisolated
+  bool is_coop_coep_cross_origin_isolated() const {
+    return is_coop_coep_cross_origin_isolated_;
+  }
+  // If the BrowsingInstance is cross-origin isolated, returns the origin shared
+  // by all the top level pages. Empty otherwise.
+  const base::Optional<url::Origin>& coop_coep_cross_origin_isolated_origin()
+      const {
+    return coop_coep_cross_origin_isolated_origin_;
+  }
  // The next available browser-global BrowsingInstance ID.
  static int next_browsing_instance_id_;
@@ -229,6 +257,18 @@ class CONTENT_EXPORT BrowsingInstance final
  // TODO(wjmaclean): Revise this to store SiteInfos instead of GURLs.
  std::set<GURL> site_url_set_;
+  // Tracks whether this BrowsingInstance contains pages using COOP
+  // "same-origin" and COEP "require-corp". This is set in the constructor and
+  // is immutable.
+  // As a general rule, cross-origin isolated BrowsingInstances are only hosted
+  // by processes that do not host non cross-origin isolated pages.
+  const bool is_coop_coep_cross_origin_isolated_;
+  // When the BrowsingInstance is cross-origin isolated, all the top level pages
+  // are same origin. This member stores this origin. The notable exception is
+  // error pages that stay in the same BrowsingInstance.
+  const base::Optional<url::Origin> coop_coep_cross_origin_isolated_origin_;
  DISALLOW_COPY_AND_ASSIGN(BrowsingInstance);
 };

--- a/content/browser/cross_origin_opener_policy_browsertest.cc
+++ b/content/browser/cross_origin_opener_policy_browsertest.cc
--- a/content/browser/frame_host/navigator_unittest.cc
+++ b/content/browser/frame_host/navigator_unittest.cc
@@ -1072,8 +1072,9 @@ TEST_F(NavigatorTest, SiteInstanceDescriptionConversion) {
  // current one.
  GURL kUrlSameSiteAs1("http://www.a.com/foo");
  {
-    SiteInstanceDescriptor descriptor(kUrlSameSiteAs1,
+    SiteInstanceDescriptor descriptor(
-                                      SiteInstanceRelation::RELATED);
+        kUrlSameSiteAs1, SiteInstanceRelation::RELATED,
+        false /* is_coop_coep_cross_origin_isolated */);
    scoped_refptr<SiteInstance> converted_instance =
        ConvertToSiteInstance(rfhm, descriptor, nullptr);
    EXPECT_EQ(current_instance, converted_instance);
@@ -1084,8 +1085,9 @@ TEST_F(NavigatorTest, SiteInstanceDescriptionConversion) {
  GURL kUrlSameSiteAs2("http://www.b.com/foo");
  scoped_refptr<SiteInstance> related_instance;
  {
-    SiteInstanceDescriptor descriptor(kUrlSameSiteAs2,
+    SiteInstanceDescriptor descriptor(
-                                      SiteInstanceRelation::RELATED);
+        kUrlSameSiteAs2, SiteInstanceRelation::RELATED,
+        false /* is_coop_coep_cross_origin_isolated */);
    related_instance = ConvertToSiteInstance(rfhm, descriptor, nullptr);
    // If kUrlSameSiteAs2 requires a dedicated process on this platform, this
    // should return a new instance, related to the current and set to the new
@@ -1108,8 +1110,9 @@ TEST_F(NavigatorTest, SiteInstanceDescriptionConversion) {
  // 5) Convert a descriptor of an unrelated instance with the same site as the
  // current one, several times, with and without candidate sites.
  {
-    SiteInstanceDescriptor descriptor(kUrlSameSiteAs1,
+    SiteInstanceDescriptor descriptor(
-                                      SiteInstanceRelation::UNRELATED);
+        kUrlSameSiteAs1, SiteInstanceRelation::UNRELATED,
+        false /* is_coop_coep_cross_origin_isolated */);
    scoped_refptr<SiteInstance> converted_instance_1 =
        ConvertToSiteInstance(rfhm, descriptor, nullptr);
    // Should return a new instance, unrelated to the current one, set to the
@@ -1146,8 +1149,9 @@ TEST_F(NavigatorTest, SiteInstanceDescriptionConversion) {
  // 6) Convert a descriptor of an unrelated instance with the same site of
  // related_instance and using it as a candidate.
  {
-    SiteInstanceDescriptor descriptor(kUrlSameSiteAs2,
+    SiteInstanceDescriptor descriptor(
-                                      SiteInstanceRelation::UNRELATED);
+        kUrlSameSiteAs2, SiteInstanceRelation::UNRELATED,
+        false /* is_coop_coep_cross_origin_isolated */);
    scoped_refptr<SiteInstance> converted_instance_1 =
        ConvertToSiteInstance(rfhm, descriptor, related_instance.get());
    // Should return a new instance, unrelated to the current, set to the

--- a/content/browser/frame_host/render_frame_host_manager.cc
+++ b/content/browser/frame_host/render_frame_host_manager.cc
--- a/content/browser/frame_host/render_frame_host_manager.h
+++ b/content/browser/frame_host/render_frame_host_manager.h
@@ -570,7 +570,8 @@ class CONTENT_EXPORT RenderFrameHostManager
          relation(SiteInstanceRelation::PREEXISTING) {}
    SiteInstanceDescriptor(GURL dest_url,
-                           SiteInstanceRelation relation_to_current);
+                           SiteInstanceRelation relation_to_current,
+                           bool is_coop_coep_cross_origin_isolated);
    // Set with an existing SiteInstance to be reused.
    content::SiteInstance* existing_site_instance;
@@ -581,6 +582,14 @@ class CONTENT_EXPORT RenderFrameHostManager
    // Specifies how the new site is related to the current BrowsingInstance.
    // This is PREEXISTING iff |existing_site_instance| is defined.
    SiteInstanceRelation relation;
+    // A cross-origin isolated page has its top level frame
+    // cross-origin-opener-policy set to "same-origin" and
+    // cross-origin-embedder-policy set to "require-corp".
+    // This allows the use of more powerful features such as SharedArrayBuffer.
+    // A cross-origin isolated SiteInstance hosts such pages and should only
+    // live in cross-origin isolated BrowsingInstances.
+    bool is_coop_coep_cross_origin_isolated = false;
  };
  // Create a RenderFrameProxyHost owned by this object.
@@ -629,7 +638,9 @@ class CONTENT_EXPORT RenderFrameHostManager
      bool is_same_document,
      bool cross_origin_opener_policy_mismatch,
      bool was_server_redirect,
-      bool should_replace_current_entry);
+      bool should_replace_current_entry,
+      bool is_coop_coep_cross_origin_isolated,
+      bool is_speculative);
  ShouldSwapBrowsingInstance ShouldProactivelySwapBrowsingInstance(
      const GURL& destination_url,
@@ -651,6 +662,8 @@ class CONTENT_EXPORT RenderFrameHostManager
      bool was_server_redirect,
      bool cross_origin_opener_policy_mismatch,
      bool should_replace_current_entry,
+      bool is_coop_coep_cross_origin_isolated,
+      bool is_speculative,
      bool* did_same_site_proactive_browsing_instance_swap);
  // Returns a descriptor of the appropriate SiteInstance object for the given
@@ -666,6 +679,11 @@ class CONTENT_EXPORT RenderFrameHostManager
  // A is trying to change the src attribute of B, this will cause a navigation
  // where the source SiteInstance is A and B is the current SiteInstance.
  //
+  // |is_speculative| indicates that the SiteInstance is being computed for a
+  // speculative RenderFrameHost, which may change once response is received and
+  // a final RenderFrameHost/SiteInstance is computed. It is true at request
+  // start time, but false for redirects and at OnResponseStarted time.
+  //
  // This is a helper function for GetSiteInstanceForNavigation.
  SiteInstanceDescriptor DetermineSiteInstanceForURL(
      const GURL& dest_url,
@@ -677,7 +695,9 @@ class CONTENT_EXPORT RenderFrameHostManager
      bool dest_is_restore,
      bool dest_is_view_source_mode,
      bool force_browsing_instance_swap,
-      bool was_server_redirect);
+      bool was_server_redirect,
+      bool is_coop_coep_cross_origin_isolated,
+      bool is_speculative);
  // Returns true if a navigation to |dest_url| that uses the specified
  // PageTransition in the current frame is allowed to swap BrowsingInstances.
@@ -704,7 +724,9 @@ class CONTENT_EXPORT RenderFrameHostManager
  bool CanUseSourceSiteInstance(const GURL& dest_url,
                                SiteInstance* source_instance,
                                bool was_server_redirect,
-                                bool is_failure);
+                                bool is_failure,
+                                bool is_coop_coep_cross_origin_isolated,
+                                bool is_speculative);
  // Converts a SiteInstanceDescriptor to the actual SiteInstance it describes.
  // If a |candidate_instance| is provided (is not nullptr) and it matches the

--- a/content/browser/site_instance_impl.cc
+++ b/content/browser/site_instance_impl.cc
@@ -145,18 +145,23 @@ SiteInstanceImpl::~SiteInstanceImpl() {
 scoped_refptr<SiteInstanceImpl> SiteInstanceImpl::Create(
    BrowserContext* browser_context) {
  DCHECK(browser_context);
-  return base::WrapRefCounted(
+  return base::WrapRefCounted(new SiteInstanceImpl(new BrowsingInstance(
-      new SiteInstanceImpl(new BrowsingInstance(browser_context)));
+      browser_context, false /* is_coop_coep_cross_origin_isolated */,
+      base::nullopt)));
 }
 // static
 scoped_refptr<SiteInstanceImpl> SiteInstanceImpl::CreateForURL(
    BrowserContext* browser_context,
-    const GURL& url) {
+    const GURL& url,
+    bool is_coop_coep_cross_origin_isolated) {
  DCHECK(browser_context);
  // This will create a new SiteInstance and BrowsingInstance.
-  scoped_refptr<BrowsingInstance> instance(
+  scoped_refptr<BrowsingInstance> instance(new BrowsingInstance(
-      new BrowsingInstance(browser_context));
+      browser_context, is_coop_coep_cross_origin_isolated,
+      is_coop_coep_cross_origin_isolated
+          ? base::Optional<url::Origin>(url::Origin::Create(url))
+          : base::nullopt));
  // Note: The |allow_default_instance| value used here MUST match the value
  // used in DoesSiteForURLMatch().
@@ -176,8 +181,12 @@ scoped_refptr<SiteInstanceImpl> SiteInstanceImpl::CreateForServiceWorker(
    site_instance = CreateForGuest(browser_context, url);
  } else {
    // This will create a new SiteInstance and BrowsingInstance.
-    scoped_refptr<BrowsingInstance> instance(
+    // TODO(ahemery): We need to assess here if the SW operates in a
-        new BrowsingInstance(browser_context));
+    // crossOriginIsolated context and forward that value to the
+    // BrowsingInstance created.
+    scoped_refptr<BrowsingInstance> instance(new BrowsingInstance(
+        browser_context, false /* is_coop_coep_cross_origin_isolated */,
+        base::nullopt));
    // We do NOT want to allow the default site instance here because workers
    // need to be kept separate from other sites.
@@ -206,8 +215,10 @@ scoped_refptr<SiteInstanceImpl> SiteInstanceImpl::CreateForGuest(
    const GURL& guest_site_url) {
  DCHECK(browser_context);
  DCHECK_NE(guest_site_url, GetDefaultSiteURL());
-  scoped_refptr<SiteInstanceImpl> site_instance = base::WrapRefCounted(
+  scoped_refptr<SiteInstanceImpl> site_instance =
-      new SiteInstanceImpl(new BrowsingInstance(browser_context)));
+      base::WrapRefCounted(new SiteInstanceImpl(new BrowsingInstance(
+          browser_context, false /* is_coop_coep_cross_origin_isolated */,
+          base::nullopt)));
  site_instance->is_guest_ = true;
@@ -227,8 +238,9 @@ SiteInstanceImpl::CreateReusableInstanceForTesting(
    const GURL& url) {
  DCHECK(browser_context);
  // This will create a new SiteInstance and BrowsingInstance.
-  scoped_refptr<BrowsingInstance> instance(
+  scoped_refptr<BrowsingInstance> instance(new BrowsingInstance(
-      new BrowsingInstance(browser_context));
+      browser_context, false /* is_coop_coep_cross_origin_isolated */,
+      base::nullopt));
  auto site_instance =
      instance->GetSiteInstanceForURL(url,
                                      /* allow_default_instance */ false);
@@ -1296,6 +1308,15 @@ void SiteInstanceImpl::LockProcessIfNeeded() {
  policy->IncludeIsolationContext(process_->GetID(), GetIsolationContext());
 }
+bool SiteInstanceImpl::IsCoopCoepCrossOriginIsolated() const {
+  return browsing_instance_->is_coop_coep_cross_origin_isolated();
+}
+base::Optional<url::Origin>
+SiteInstanceImpl::CoopCoepCrossOriginIsolatedOrigin() const {
+  return browsing_instance_->coop_coep_cross_origin_isolated_origin();
+}
 // static
 void SiteInstance::StartIsolatingSite(BrowserContext* context,
                                      const GURL& url) {

--- a/content/browser/site_instance_impl.h
+++ b/content/browser/site_instance_impl.h
@@ -154,9 +154,14 @@ class CONTENT_EXPORT SiteInstanceImpl final : public SiteInstance,
  // are on the SiteInstance::Create* methods with the same name.
  static scoped_refptr<SiteInstanceImpl> Create(
      BrowserContext* browser_context);
+  // |is_coop_coep_cross_origin_isolated| is not exposed in content/public. It
+  // sets the BrowsingInstance is_coop_coep_cross_origin_isolated_ property.
+  // Once this property is set it cannot be changed and is used in process
+  // allocation decisions.
  static scoped_refptr<SiteInstanceImpl> CreateForURL(
      BrowserContext* browser_context,
-      const GURL& url);
+      const GURL& url,
+      bool is_coop_coep_cross_origin_isolated = false);
  static scoped_refptr<SiteInstanceImpl> CreateForGuest(
      content::BrowserContext* browser_context,
      const GURL& guest_site_url);
@@ -484,6 +489,14 @@ class CONTENT_EXPORT SiteInstanceImpl final : public SiteInstance,
  // RenderProcessHost (with a new ID).
  AgentSchedulingGroupHost& GetAgentSchedulingGroup();
+  // Returns true if the SiteInstance is part of a CoopCoepCrossOriginIsolated
+  // BrowsingInstance.
+  bool IsCoopCoepCrossOriginIsolated() const;
+  // If IsCoopCoepCrossOriginIsolated is true, returns the origin shared across
+  // all top level frames in this BrowsingInstance.
+  base::Optional<url::Origin> CoopCoepCrossOriginIsolatedOrigin() const;
 private:
  friend class BrowsingInstance;
  friend class SiteInstanceTestBrowserClient;

--- a/content/browser/site_instance_impl_unittest.cc
+++ b/content/browser/site_instance_impl_unittest.cc
@@ -44,6 +44,7 @@
 #include "content/test/test_content_client.h"
 #include "content/test/test_render_view_host.h"
 #include "testing/gtest/include/gtest/gtest.h"
+#include "url/origin.h"
 #include "url/url_util.h"
 namespace content {
@@ -743,8 +744,9 @@ TEST_F(SiteInstanceTest, OneSiteInstancePerSite) {
  ASSERT_FALSE(base::CommandLine::ForCurrentProcess()->HasSwitch(
      switches::kProcessPerSite));
  std::unique_ptr<TestBrowserContext> browser_context(new TestBrowserContext());
-  BrowsingInstance* browsing_instance =
+  BrowsingInstance* browsing_instance = new BrowsingInstance(
-      new BrowsingInstance(browser_context.get());
+      browser_context.get(), false /* is_coop_coep_cross_origin_isolated */,
+      base::nullopt /* coop_coep_cross_origin_isolated_origin */);
  const GURL url_a1("http://www.google.com/1.html");
  scoped_refptr<SiteInstanceImpl> site_instance_a1(
@@ -773,8 +775,9 @@ TEST_F(SiteInstanceTest, OneSiteInstancePerSite) {
  // A visit to the original site in a new BrowsingInstance (same or different
  // browser context) should return a different SiteInstance.
-  BrowsingInstance* browsing_instance2 =
+  BrowsingInstance* browsing_instance2 = new BrowsingInstance(
-      new BrowsingInstance(browser_context.get());
+      browser_context.get(), false /* is_coop_coep_cross_origin_isolated */,
+      base::nullopt /* coop_coep_cross_origin_isolated_origin */);
  // Ensure the new SiteInstance is ref counted so that it gets deleted.
  scoped_refptr<SiteInstanceImpl> site_instance_a2_2(
      browsing_instance2->GetSiteInstanceForURL(url_a2, false));
@@ -815,8 +818,9 @@ TEST_F(SiteInstanceTest, OneSiteInstancePerSiteInBrowserContext) {
  base::CommandLine::ForCurrentProcess()->AppendSwitch(
      switches::kProcessPerSite);
  std::unique_ptr<TestBrowserContext> browser_context(new TestBrowserContext());
-  scoped_refptr<BrowsingInstance> browsing_instance =
+  scoped_refptr<BrowsingInstance> browsing_instance = new BrowsingInstance(
-      new BrowsingInstance(browser_context.get());
+      browser_context.get(), false /* is_coop_coep_cross_origin_isolated */,
+      base::nullopt /* coop_coep_cross_origin_isolated_origin */);
  const GURL url_a1("http://www.google.com/1.html");
  scoped_refptr<SiteInstanceImpl> site_instance_a1(
@@ -845,8 +849,9 @@ TEST_F(SiteInstanceTest, OneSiteInstancePerSiteInBrowserContext) {
  // A visit to the original site in a new BrowsingInstance (same browser
  // context) should return a different SiteInstance with the same process.
-  BrowsingInstance* browsing_instance2 =
+  BrowsingInstance* browsing_instance2 = new BrowsingInstance(
-      new BrowsingInstance(browser_context.get());
+      browser_context.get(), false /* is_coop_coep_cross_origin_isolated */,
+      base::nullopt /* coop_coep_cross_origin_isolated_origin */);
  scoped_refptr<SiteInstanceImpl> site_instance_a1_2(
      browsing_instance2->GetSiteInstanceForURL(url_a1, false));
  EXPECT_TRUE(site_instance_a1.get() != nullptr);
@@ -857,8 +862,9 @@ TEST_F(SiteInstanceTest, OneSiteInstancePerSiteInBrowserContext) {
  // context) should return a different SiteInstance with a different process.
  std::unique_ptr<TestBrowserContext> browser_context2(
      new TestBrowserContext());
-  BrowsingInstance* browsing_instance3 =
+  BrowsingInstance* browsing_instance3 = new BrowsingInstance(
-      new BrowsingInstance(browser_context2.get());
+      browser_context2.get(), false /* is_coop_coep_cross_origin_isolated */,
+      base::nullopt /* coop_coep_cross_origin_isolated_origin */);
  scoped_refptr<SiteInstanceImpl> site_instance_a2_3(
      browsing_instance3->GetSiteInstanceForURL(url_a2, false));
  EXPECT_TRUE(site_instance_a2_3.get() != nullptr);