[Security] More general cross-origin-isolated check in ConvertToSiteInstance

Reuses the general check for SiteInstance compatibility regarding COOP+COEP
isolation.

Bug: 1107814
Change-Id: I0ec25d36a650e23a103d2d509c034d240f953b1b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2398520
Commit-Queue: Arthur Hemery <ahemery@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Cr-Commit-Position: refs/heads/master@{#805266}

content/browser/frame_host/navigator_unittest.cc

@@ -64,7 +64,8 @@ class NavigatorTest : public RenderViewHostImplTestHarness {
       const SiteInstanceDescriptor& descriptor,
       SiteInstance* candidate_instance) {
     return rfhm->ConvertToSiteInstance(
-        descriptor, static_cast<SiteInstanceImpl*>(candidate_instance));
+        descriptor, static_cast<SiteInstanceImpl*>(candidate_instance),
+        false /* is_speculative */);
   }
 };
 

content/browser/frame_host/render_frame_host_manager.cc

@@ -1558,8 +1558,8 @@ RenderFrameHostManager::GetSiteInstanceForNavigation(
       is_failure, dest_is_restore, dest_is_view_source_mode, should_swap,
       was_server_redirect, is_coop_coep_cross_origin_isolated, is_speculative);
 
-  scoped_refptr<SiteInstance> new_instance =
-      ConvertToSiteInstance(new_instance_descriptor, candidate_instance);
+  scoped_refptr<SiteInstance> new_instance = ConvertToSiteInstance(
+      new_instance_descriptor, candidate_instance, is_speculative);
   SiteInstanceImpl* new_instance_impl =
       static_cast<SiteInstanceImpl*>(new_instance.get());
   DCHECK(IsSiteInstanceCompatibleWithCoopCoepCrossOriginIsolation(
@@ -2000,7 +2000,8 @@ bool RenderFrameHostManager::IsBrowsingInstanceSwapAllowedForPageTransition(
 
 scoped_refptr<SiteInstance> RenderFrameHostManager::ConvertToSiteInstance(
     const SiteInstanceDescriptor& descriptor,
-    SiteInstanceImpl* candidate_instance) {
+    SiteInstanceImpl* candidate_instance,
+    bool is_speculative) {
   SiteInstanceImpl* current_instance = render_frame_host_->GetSiteInstance();
 
   // If we are asked to return a related SiteInstance but the BrowsingInstance
@@ -2030,8 +2031,10 @@ scoped_refptr<SiteInstance> RenderFrameHostManager::ConvertToSiteInstance(
   // At this point we know an unrelated site instance must be returned. First
   // check if the candidate matches.
   if (candidate_instance &&
-      candidate_instance->IsCoopCoepCrossOriginIsolated() ==
-          descriptor.is_coop_coep_cross_origin_isolated &&
+      IsSiteInstanceCompatibleWithCoopCoepCrossOriginIsolation(
+          candidate_instance, frame_tree_node_->IsMainFrame(),
+          descriptor.dest_url, descriptor.is_coop_coep_cross_origin_isolated,
+          is_speculative) &&
       !current_instance->IsRelatedSiteInstance(candidate_instance) &&
       candidate_instance->DoesSiteInfoForURLMatch(descriptor.dest_url)) {
     return candidate_instance;

content/browser/frame_host/render_frame_host_manager.h

@@ -727,9 +727,12 @@ class CONTENT_EXPORT RenderFrameHostManager
   // Converts a SiteInstanceDescriptor to the actual SiteInstance it describes.
   // If a |candidate_instance| is provided (is not nullptr) and it matches the
   // description, it is returned as is.
+  // |is_speculative| indicates whether we are computing a SiteInstance for a
+  // speculative RenderFrameHost or if have already received a response.
   scoped_refptr<SiteInstance> ConvertToSiteInstance(
       const SiteInstanceDescriptor& descriptor,
-      SiteInstanceImpl* candidate_instance);
+      SiteInstanceImpl* candidate_instance,
+      bool is_speculative);
 
   // Returns true if |candidate| is currently on the same web site as
   // |dest_url|. This method is a special case for handling hosted apps in