Lock hosted apps to their underlying web origin.

Previously, hosted apps were exempt from LockToOrigin() even in --site-per-process mode. That meant that hosted apps were not subject to enforcements such as not allowing access to cookies, passwords, or local storage of other sites. Worse, it meant that hosted apps could arbitrarily share a process (e.g., when over process limit), even if they covered different web sites with --site-per-process. This CL starts locking hosted apps to their underlying web origin. If a frame commits a navigation to URL http://foo.com, which is part of a hosted app X's web extent, the process for that frame will be locked to http://foo.com. Note that the SiteInstance for this frame will still use a site URL based on the effective URL (i.e., chrome-extension://<ext_id_for_X>/), but the origin lock will not be based on effective URLs. This requires plumbing to compute the origin lock as a site URL that does not use an effective URL, and to plumb it into various places that make process model decisions, such as RPHI::IsSuitableHost(). Bug: 811939, 794315, 791796 Change-Id: Icc9b3c0a04253e581ea35953f3c566308305db59 Reviewed-on: https://chromium-review.googlesource.com/959346 Commit-Queue: Alex Moshchuk <alexmos@chromium.org> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Reviewed-by: Charlie Reis <creis@chromium.org> Cr-Commit-Position: refs/heads/master@{#583895}

Lock hosted apps to their underlying web origin.
Previously, hosted apps were exempt from LockToOrigin() even in --site-per-process mode. That meant that hosted apps were not subject to enforcements such as not allowing access to cookies, passwords, or local storage of other sites. Worse, it meant that hosted apps could arbitrarily share a process (e.g., when over process limit), even if they covered different web sites with --site-per-process. This CL starts locking hosted apps to their underlying web origin. If a frame commits a navigation to URL http://foo.com, which is part of a hosted app X's web extent, the process for that frame will be locked to http://foo.com. Note that the SiteInstance for this frame will still use a site URL based on the effective URL (i.e., chrome-extension://<ext_id_for_X>/), but the origin lock will not be based on effective URLs. This requires plumbing to compute the origin lock as a site URL that does not use an effective URL, and to plumb it into various places that make process model decisions, such as RPHI::IsSuitableHost(). Bug: 811939, 794315, 791796 Change-Id: Icc9b3c0a04253e581ea35953f3c566308305db59 Reviewed-on: https://chromium-review.googlesource.com/959346 Commit-Queue: Alex Moshchuk <alexmos@chromium.org> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Reviewed-by: Charlie Reis <creis@chromium.org> Cr-Commit-Position: refs/heads/master@{#583895}
71426a90 · Alex Moshchuk · 71120bdb · 71426a90 · 71426a90 · 71426a90
Commit 71426a90 authored Aug 17, 2018 by Alex Moshchuk
14 changed files
--- a/chrome/browser/extensions/chrome_content_browser_client_extensions_part.cc
+++ b/chrome/browser/extensions/chrome_content_browser_client_extensions_part.cc
@@ -428,28 +428,29 @@ bool ChromeContentBrowserClientExtensionsPart::DoesSiteRequireDedicatedProcess(
 bool ChromeContentBrowserClientExtensionsPart::ShouldLockToOrigin(
    content::BrowserContext* browser_context,
    const GURL& effective_site_url) {
-  // https://crbug.com/160576 workaround: Origin lock to the chrome-extension://
+  if (!effective_site_url.SchemeIs(kExtensionScheme))
-  // scheme for a hosted app would kill processes on legitimate requests for the
+    return true;
-  // app's cookies.
-  if (effective_site_url.SchemeIs(extensions::kExtensionScheme)) {
+  const Extension* extension = ExtensionRegistry::Get(browser_context)
-    const Extension* extension =
-        ExtensionRegistry::Get(browser_context)
                                   ->enabled_extensions()
                                   .GetExtensionOrAppByURL(effective_site_url);
-    if (extension && extension->is_hosted_app())
+  if (!extension)
-      return false;
+    return true;
+  // Hosted apps should be locked to their web origin. See
+  // https://crbug.com/794315.
+  if (extension->is_hosted_app())
+    return true;
-    // Extensions are allowed to share processes, even in --site-per-process
+  // Other extensions are allowed to share processes, even in
-    // currently. See https://crbug.com/600441#c1 for some background on the
+  // --site-per-process currently. See https://crbug.com/600441#c1 for some
-    // intersection of extension process reuse and site isolation.
+  // background on the intersection of extension process reuse and site
+  // isolation.
  //
  // TODO(nick): Fix this, possibly by revamping the extensions process model
  // so that sharing is determined by privilege level, as described in
-    // https://crbug.com/766267
+  // https://crbug.com/766267.
-    if (extension)
  return false;
-  }
-  return true;
 }
 // static

--- a/chrome/browser/ui/extensions/hosted_app_browsertest.cc
+++ b/chrome/browser/ui/extensions/hosted_app_browsertest.cc
--- a/content/browser/browsing_instance.cc
+++ b/content/browser/browsing_instance.cc
@@ -21,8 +21,7 @@ BrowsingInstance::BrowsingInstance(BrowserContext* browser_context)
 }
 bool BrowsingInstance::HasSiteInstance(const GURL& url) {
-  std::string site =
+  std::string site = SiteInstance::GetSiteForURL(browser_context_, url)
-      SiteInstanceImpl::GetSiteForURL(browser_context_, url)
                         .possibly_invalid_spec();
  return site_instance_map_.find(site) != site_instance_map_.end();
@@ -30,7 +29,7 @@ bool BrowsingInstance::HasSiteInstance(const GURL& url) {
 scoped_refptr<SiteInstanceImpl> BrowsingInstance::GetSiteInstanceForURL(
    const GURL& url) {
-  std::string site = SiteInstanceImpl::GetSiteForURL(browser_context_, url)
+  std::string site = SiteInstance::GetSiteForURL(browser_context_, url)
                         .possibly_invalid_spec();
  SiteInstanceMap::iterator i = site_instance_map_.find(site);

--- a/content/browser/child_process_security_policy_impl.cc
+++ b/content/browser/child_process_security_policy_impl.cc
@@ -1120,7 +1120,7 @@ bool ChildProcessSecurityPolicyImpl::CanAccessDataForOrigin(int child_id,
  // TODO(creis): We must pass the valid browser_context to convert hosted apps
  // URLs. Currently, hosted apps cannot set cookies in this mode. See
  // http://crbug.com/160576.
-  GURL site_url = SiteInstanceImpl::GetSiteForURL(nullptr, url);
+  GURL site_url = SiteInstance::GetSiteForURL(nullptr, url);
  base::AutoLock lock(lock_);
  SecurityStateMap::iterator state = security_state_.find(child_id);
@@ -1153,7 +1153,7 @@ void ChildProcessSecurityPolicyImpl::LockToOrigin(int child_id,
  DCHECK_CURRENTLY_ON(BrowserThread::UI);
  // "gurl" can be currently empty in some cases, such as file://blah.
-  DCHECK(SiteInstanceImpl::GetSiteForURL(nullptr, gurl) == gurl);
+  DCHECK_EQ(SiteInstanceImpl::DetermineProcessLockURL(nullptr, gurl), gurl);
  base::AutoLock lock(lock_);
  SecurityStateMap::iterator state = security_state_.find(child_id);
  DCHECK(state != security_state_.end());

--- a/content/browser/frame_host/navigator_impl_unittest.cc
+++ b/content/browser/frame_host/navigator_impl_unittest.cc
@@ -133,7 +133,7 @@ TEST_F(NavigatorTestWithBrowserSideNavigation,
  EXPECT_TRUE(main_test_rfh()->navigation_request());
  main_test_rfh()->SendNavigate(entry_id, true, kUrl);
  EXPECT_TRUE(main_test_rfh()->is_active());
-  EXPECT_EQ(SiteInstanceImpl::GetSiteForURL(browser_context(), kUrl),
+  EXPECT_EQ(SiteInstance::GetSiteForURL(browser_context(), kUrl),
            main_test_rfh()->GetSiteInstance()->GetSiteURL());
  EXPECT_EQ(kUrl, contents()->GetLastCommittedURL());
@@ -187,7 +187,7 @@ TEST_F(NavigatorTestWithBrowserSideNavigation,
  // Commit the navigation.
  navigation->Commit();
  EXPECT_TRUE(main_test_rfh()->is_active());
-  EXPECT_EQ(SiteInstanceImpl::GetSiteForURL(browser_context(), kUrl2),
+  EXPECT_EQ(SiteInstance::GetSiteForURL(browser_context(), kUrl2),
            main_test_rfh()->GetSiteInstance()->GetSiteURL());
  EXPECT_EQ(kUrl2, contents()->GetLastCommittedURL());
  EXPECT_FALSE(GetSpeculativeRenderFrameHost(node));
@@ -878,7 +878,7 @@ TEST_F(NavigatorTestWithBrowserSideNavigation,
  // Receive the beforeUnload ACK.
  main_test_rfh()->SendBeforeUnloadACK(true);
  EXPECT_EQ(speculative_rfh, GetSpeculativeRenderFrameHost(node));
-  EXPECT_EQ(SiteInstanceImpl::GetSiteForURL(browser_context(), kUrl),
+  EXPECT_EQ(SiteInstance::GetSiteForURL(browser_context(), kUrl),
            speculative_rfh->GetSiteInstance()->GetSiteURL());
  int32_t site_instance_id = speculative_rfh->GetSiteInstance()->GetId();
  int64_t navigation_id =
@@ -923,7 +923,7 @@ TEST_F(NavigatorTestWithBrowserSideNavigation,
  EXPECT_NE(init_site_instance_id, site_instance_id);
  EXPECT_EQ(init_site_instance_id, main_test_rfh()->GetSiteInstance()->GetId());
  EXPECT_NE(speculative_rfh, main_test_rfh());
-  EXPECT_EQ(SiteInstanceImpl::GetSiteForURL(browser_context(), kUrl),
+  EXPECT_EQ(SiteInstance::GetSiteForURL(browser_context(), kUrl),
            speculative_rfh->GetSiteInstance()->GetSiteURL());
  // Receive the beforeUnload ACK.
@@ -960,7 +960,7 @@ TEST_F(NavigatorTestWithBrowserSideNavigation,
  // Once commit happens the speculative RenderFrameHost is updated to match the
  // known final SiteInstance.
-  EXPECT_EQ(SiteInstanceImpl::GetSiteForURL(browser_context(), kUrlRedirect),
+  EXPECT_EQ(SiteInstance::GetSiteForURL(browser_context(), kUrlRedirect),
            speculative_rfh->GetSiteInstance()->GetSiteURL());
  int32_t redirect_site_instance_id =
      speculative_rfh->GetSiteInstance()->GetId();

--- a/content/browser/frame_host/render_frame_host_manager.cc
+++ b/content/browser/frame_host/render_frame_host_manager.cc
@@ -1218,7 +1218,8 @@ RenderFrameHostManager::DetermineSiteInstanceForURL(
    // thus use the correct process.
    bool use_process_per_site =
        RenderProcessHost::ShouldUseProcessPerSite(browser_context, dest_url) &&
-        RenderProcessHostImpl::GetProcessHostForSite(browser_context, dest_url);
+        RenderProcessHostImpl::GetSoleProcessHostForURL(browser_context,
+                                                        dest_url);
    if (current_instance_impl->HasRelatedSiteInstance(dest_url) ||
        use_process_per_site) {
      return SiteInstanceDescriptor(browser_context, dest_url,

--- a/content/browser/isolated_origin_browsertest.cc
+++ b/content/browser/isolated_origin_browsertest.cc
@@ -568,10 +568,12 @@ IN_PROC_BROWSER_TEST_F(IsolatedOriginTest, ProcessLimit) {
  // Sanity-check IsSuitableHost values for the current processes.
  BrowserContext* browser_context = web_contents()->GetBrowserContext();
  auto is_suitable_host = [browser_context](RenderProcessHost* process,
-                                            GURL url) {
+                                            const GURL& url) {
-    return RenderProcessHostImpl::IsSuitableHost(
+    GURL site_url(SiteInstance::GetSiteForURL(browser_context, url));
-        process, browser_context,
+    GURL lock_url(
-        SiteInstance::GetSiteForURL(browser_context, url));
+        SiteInstanceImpl::DetermineProcessLockURL(browser_context, url));
+    return RenderProcessHostImpl::IsSuitableHost(process, browser_context,
+                                                 site_url, lock_url);
  };
  EXPECT_TRUE(is_suitable_host(foo_process, foo_url));
  EXPECT_FALSE(is_suitable_host(foo_process, isolated_foo_url));

--- a/content/browser/renderer_host/render_process_host_impl.cc
+++ b/content/browser/renderer_host/render_process_host_impl.cc
--- a/content/browser/renderer_host/render_process_host_impl.h
+++ b/content/browser/renderer_host/render_process_host_impl.h
@@ -266,11 +266,16 @@ class CONTENT_EXPORT RenderProcessHostImpl
  // Implementation of FilterURL below that can be shared with the mock class.
  static void FilterURL(RenderProcessHost* rph, bool empty_allowed, GURL* url);
-  // Returns true if |host| is suitable for launching a new view with |site_url|
+  // Returns true if |host| is suitable for rendering a page in the given
-  // in the given |browser_context|.
+  // |browser_context|, where the page would utilize |site_url| as its
+  // SiteInstance site URL, and its process would be locked to |lock_url|.
+  // |site_url| and |lock_url| may differ in cases where an effective URL is
+  // not the actual site that the process is locked to, which happens for
+  // hosted apps.
  static bool IsSuitableHost(RenderProcessHost* host,
                             BrowserContext* browser_context,
-                             const GURL& site_url);
+                             const GURL& site_url,
+                             const GURL& lock_url);
  // Returns an existing RenderProcessHost for |url| in |browser_context|,
  // if one exists.  Otherwise a new RenderProcessHost should be created and
@@ -278,25 +283,45 @@ class CONTENT_EXPORT RenderProcessHostImpl
  // This should only be used for process-per-site mode, which can be enabled
  // globally with a command line flag or per-site, as determined by
  // SiteInstanceImpl::ShouldUseProcessPerSite.
-  static RenderProcessHost* GetProcessHostForSite(
+  // Important: |url| should be a full URL and *not* a site URL.
+  static RenderProcessHost* GetSoleProcessHostForURL(
      BrowserContext* browser_context,
      const GURL& url);
-  // Registers the given |process| to be used for any instance of |url|
+  // Variant of the above that takes in a SiteInstance site URL and the
-  // within |browser_context|.
+  // process's origin lock URL, when they are known.
+  static RenderProcessHost* GetSoleProcessHostForSite(
+      BrowserContext* browser_context,
+      const GURL& site_url,
+      const GURL& lock_url);
+  // Registers the given |process| to be used for all sites identified by
+  // |site_instance| within |browser_context|.
  // This should only be used for process-per-site mode, which can be enabled
  // globally with a command line flag or per-site, as determined by
  // SiteInstanceImpl::ShouldUseProcessPerSite.
-  static void RegisterProcessHostForSite(
+  static void RegisterSoleProcessHostForSite(BrowserContext* browser_context,
-      BrowserContext* browser_context,
                                             RenderProcessHost* process,
-      const GURL& url);
+                                             SiteInstanceImpl* site_instance);
  // Returns a suitable RenderProcessHost to use for |site_instance|. Depending
  // on the SiteInstance's ProcessReusePolicy and its url, this may be an
  // existing RenderProcessHost or a new one.
+  //
+  // This is the main entrypoint into the process assignment logic, which
+  // handles all cases.  These cases include:
+  // - process-per-site: see
+  //   RegisterSoleProcessHostForSite/GetSoleProcessHostForSite.
+  // - TDI: see GetDefaultSubframeProcessHost.
+  // - REUSE_PENDING_OR_COMMITTED reuse policy (for ServiceWorkers and OOPIFs):
+  //   see FindReusableProcessHostForSiteInstance.
+  // - normal process reuse when over process limit:  see
+  //   GetExistingProcessHost.
+  // - using the spare RenderProcessHost when possible: see
+  //   MaybeTakeSpareRenderProcessHost.
+  // - process creation when an existing process couldn't be found: see
+  //   CreateRenderProcessHost.
  static RenderProcessHost* GetProcessHostForSiteInstance(
-      BrowserContext* browser_context,
      SiteInstanceImpl* site_instance);
  // Should be called when |browser_context| is used in a navigation.
@@ -552,20 +577,19 @@ class CONTENT_EXPORT RenderProcessHostImpl
  // Get an existing RenderProcessHost associated with the given browser
  // context, if possible.  The renderer process is chosen randomly from
  // suitable renderers that share the same context and type (determined by the
-  // site url).
+  // site url of |site_instance|).
  // Returns nullptr if no suitable renderer process is available, in which case
  // the caller is free to create a new renderer.
  static RenderProcessHost* GetExistingProcessHost(
-      content::BrowserContext* browser_context,
+      SiteInstanceImpl* site_instance);
-      const GURL& site_url);
  FRIEND_TEST_ALL_PREFIXES(RenderProcessHostUnitTest,
                           GuestsAreNotSuitableHosts);
-  // Returns a RenderProcessHost that is rendering |site_url| in one of its
+  // Returns a RenderProcessHost that is rendering a URL corresponding to
-  // frames, or that is expecting a navigation to |site_url|.
+  // |site_instance| in one of its frames, or that is expecting a navigation to
-  static RenderProcessHost* FindReusableProcessHostForSite(
+  // that SiteInstance.
-      BrowserContext* browser_context,
+  static RenderProcessHost* FindReusableProcessHostForSiteInstance(
-      const GURL& site_url);
+      SiteInstanceImpl* site_instance);
  void CreateMediaStreamDispatcherHost(
      MediaStreamManager* media_stream_manager,

--- a/content/browser/renderer_host/render_process_host_unittest.cc
+++ b/content/browser/renderer_host/render_process_host_unittest.cc
@@ -42,12 +42,16 @@ TEST_F(RenderProcessHostUnitTest, GuestsAreNotSuitableHosts) {
  MockRenderProcessHost guest_host(browser_context());
  guest_host.set_is_for_guests_only(true);
+  scoped_refptr<SiteInstanceImpl> site_instance =
+      SiteInstanceImpl::CreateForURL(browser_context(), test_url);
  EXPECT_FALSE(RenderProcessHostImpl::IsSuitableHost(
-      &guest_host, browser_context(), test_url));
+      &guest_host, browser_context(), site_instance->GetSiteURL(),
+      site_instance->lock_url()));
  EXPECT_TRUE(RenderProcessHostImpl::IsSuitableHost(
-      process(), browser_context(), test_url));
+      process(), browser_context(), site_instance->GetSiteURL(),
-  EXPECT_EQ(process(), RenderProcessHostImpl::GetExistingProcessHost(
+      site_instance->lock_url()));
-                           browser_context(), test_url));
+  EXPECT_EQ(process(),
+            RenderProcessHostImpl::GetExistingProcessHost(site_instance.get()));
 }
 #if !defined(OS_ANDROID) && !defined(OS_CHROMEOS)

--- a/content/browser/site_instance_impl.cc
+++ b/content/browser/site_instance_impl.cc
@@ -104,7 +104,8 @@ bool SiteInstanceImpl::HasProcess() const {
      browsing_instance_->browser_context();
  if (has_site_ &&
      RenderProcessHost::ShouldUseProcessPerSite(browser_context, site_) &&
-      RenderProcessHostImpl::GetProcessHostForSite(browser_context, site_)) {
+      RenderProcessHostImpl::GetSoleProcessHostForSite(browser_context, site_,
+                                                       lock_url_)) {
    return true;
  }
@@ -133,8 +134,7 @@ RenderProcessHost* SiteInstanceImpl::GetProcess() {
      process_reuse_policy_ = ProcessReusePolicy::DEFAULT;
    }
-    process_ = RenderProcessHostImpl::GetProcessHostForSiteInstance(
+    process_ = RenderProcessHostImpl::GetProcessHostForSiteInstance(this);
-        browser_context, this);
    CHECK(process_);
    process_->AddObserver(this);
@@ -144,8 +144,8 @@ RenderProcessHost* SiteInstanceImpl::GetProcess() {
    // at this time, we will register it in SetSite().)
    if (process_reuse_policy_ == ProcessReusePolicy::PROCESS_PER_SITE &&
        has_site_) {
-      RenderProcessHostImpl::RegisterProcessHostForSite(browser_context,
+      RenderProcessHostImpl::RegisterSoleProcessHostForSite(browser_context,
-                                                        process_, site_);
+                                                            process_, this);
    }
    TRACE_EVENT2("navigation", "SiteInstanceImpl::GetProcess",
@@ -182,8 +182,10 @@ void SiteInstanceImpl::SetSite(const GURL& url) {
  // URL is invalid.
  has_site_ = true;
  BrowserContext* browser_context = browsing_instance_->browser_context();
-  site_ = GetSiteForURL(browser_context, url);
+  site_ =
+      GetSiteForURL(browser_context, url, true /* should_use_effective_urls */);
  original_url_ = url;
+  lock_url_ = DetermineProcessLockURL(browser_context, url);
  // Now that we have a site, register it with the BrowsingInstance.  This
  // ensures that we won't create another SiteInstance for this site within
@@ -203,8 +205,8 @@ void SiteInstanceImpl::SetSite(const GURL& url) {
    // Ensure the process is registered for this site if necessary.
    if (should_use_process_per_site) {
-      RenderProcessHostImpl::RegisterProcessHostForSite(
+      RenderProcessHostImpl::RegisterSoleProcessHostForSite(browser_context,
-          browser_context, process_, site_);
+                                                            process_, this);
    }
  }
 }
@@ -262,9 +264,13 @@ bool SiteInstanceImpl::HasWrongProcessForURL(const GURL& url) {
  // If the site URL is an extension (e.g., for hosted apps or WebUI) but the
  // process is not (or vice versa), make sure we notice and fix it.
-  GURL site_url = GetSiteForURL(browsing_instance_->browser_context(), url);
+  GURL site_url =
+      SiteInstance::GetSiteForURL(browsing_instance_->browser_context(), url);
+  GURL origin_lock =
+      DetermineProcessLockURL(browsing_instance_->browser_context(), url);
  return !RenderProcessHostImpl::IsSuitableHost(
-      GetProcess(), browsing_instance_->browser_context(), site_url);
+      GetProcess(), browsing_instance_->browser_context(), site_url,
+      origin_lock);
 }
 scoped_refptr<SiteInstanceImpl>
@@ -415,12 +421,32 @@ bool SiteInstanceImpl::IsSameWebSite(BrowserContext* browser_context,
 // static
 GURL SiteInstance::GetSiteForURL(BrowserContext* browser_context,
-                                 const GURL& real_url) {
+                                 const GURL& url) {
+  // By default, GetSiteForURL will resolve |real_url| to an effective URL
+  // before computing its site.
+  return SiteInstanceImpl::GetSiteForURL(browser_context, url,
+                                         true /* should_use_effective_urls */);
+}
+// static
+GURL SiteInstanceImpl::DetermineProcessLockURL(BrowserContext* browser_context,
+                                               const GURL& url) {
+  // For the process lock URL, convert |url| to a site without resolving |url|
+  // to an effective URL.
+  return SiteInstanceImpl::GetSiteForURL(browser_context, url,
+                                         false /* should_use_effective_urls */);
+}
+GURL SiteInstanceImpl::GetSiteForURL(BrowserContext* browser_context,
+                                     const GURL& real_url,
+                                     bool should_use_effective_urls) {
  // TODO(fsamuel, creis): For some reason appID is not recognized as a host.
  if (real_url.SchemeIs(kGuestScheme))
    return real_url;
-  GURL url = SiteInstanceImpl::GetEffectiveURL(browser_context, real_url);
+  GURL url = should_use_effective_urls
+                 ? SiteInstanceImpl::GetEffectiveURL(browser_context, real_url)
+                 : real_url;
  url::Origin origin = url::Origin::Create(url);
  // Isolated origins should use the full origin as their site URL. A subdomain
@@ -522,7 +548,7 @@ bool SiteInstanceImpl::DoesSiteRequireDedicatedProcess(
    return true;
  // Always require a dedicated process for isolated origins.
-  GURL site_url = GetSiteForURL(browser_context, url);
+  GURL site_url = SiteInstance::GetSiteForURL(browser_context, url);
  auto* policy = ChildProcessSecurityPolicyImpl::GetInstance();
  if (policy->IsIsolatedOrigin(url::Origin::Create(site_url)))
    return true;
@@ -605,7 +631,7 @@ void SiteInstanceImpl::LockToOriginIfNeeded() {
  ChildProcessSecurityPolicyImpl* policy =
      ChildProcessSecurityPolicyImpl::GetInstance();
-  auto lock_state = policy->CheckOriginLock(process_->GetID(), site_);
+  auto lock_state = policy->CheckOriginLock(process_->GetID(), lock_url());
  if (ShouldLockToOrigin(GetBrowserContext(), site_)) {
    // Sanity check that this won't try to assign an origin lock to a <webview>
    // process, which can't be locked.
@@ -617,7 +643,7 @@ void SiteInstanceImpl::LockToOriginIfNeeded() {
        // strong protection. If only some sites are isolated, we need
        // additional logic to prevent the non-isolated sites from requesting
        // resources for isolated sites. https://crbug.com/509125
-        process_->LockToOrigin(site_);
+        process_->LockToOrigin(lock_url());
        break;
      }
      case CheckOriginLockResult::HAS_WRONG_LOCK:
@@ -628,7 +654,7 @@ void SiteInstanceImpl::LockToOriginIfNeeded() {
        base::debug::SetCrashKeyString(
            bad_message::GetKilledProcessOriginLockKey(),
            policy->GetOriginLock(process_->GetID()).spec());
-        CHECK(false) << "Trying to lock a process to " << site_
+        CHECK(false) << "Trying to lock a process to " << lock_url()
                     << " but the process is already locked to "
                     << policy->GetOriginLock(process_->GetID());
        break;

--- a/content/browser/site_instance_impl.h
+++ b/content/browser/site_instance_impl.h
@@ -116,11 +116,29 @@ class CONTENT_EXPORT SiteInstanceImpl final : public SiteInstance,
  // May be empty if this SiteInstance does not have a |site_|.
  const GURL& original_url() { return original_url_; }
+  // Returns the URL which should be used in a LockToOrigin call for this
+  // SiteInstance's process.
+  const GURL& lock_url() { return lock_url_; }
  // True if |url| resolves to an effective URL that is different from |url|.
  // See GetEffectiveURL().  This will be true for hosted apps as well as NTP
  // URLs.
  static bool HasEffectiveURL(BrowserContext* browser_context, const GURL& url);
+  // Returns the site for the given URL, which includes only the scheme and
+  // registered domain.  Returns an empty GURL if the URL has no host.
+  // |use_effective_urls| specifies whether to resolve |url| to an effective
+  // URL (via ContentBrowserClient::GetEffectiveURL()) before determining the
+  // site.
+  static GURL GetSiteForURL(BrowserContext* context,
+                            const GURL& url,
+                            bool use_effective_urls);
+  // Returns the URL to which a process should be locked for the given URL.
+  // This is computed similarly to the site URL (see GetSiteForURL), but
+  // without resolving effective URLs.
+  static GURL DetermineProcessLockURL(BrowserContext* context, const GURL& url);
  // Returns the SiteInstance, related to this one, that should be used
  // for subframes when an oopif is required, but a dedicated process is not.
  // This SiteInstance will be created if it doesn't already exist. There is
@@ -275,6 +293,12 @@ class CONTENT_EXPORT SiteInstanceImpl final : public SiteInstance,
  // The URL which was used to set the |site_| for this SiteInstance.
  GURL original_url_;
+  // The URL to use when locking a process to this SiteInstance's site via
+  // LockToOrigin().  This is the same as |site_| except for cases involving
+  // effective URLs, such as hosted apps.  In those cases, this URL is a site
+  // URL that is computed without the use of effective URLs.
+  GURL lock_url_;
  // The ProcessReusePolicy to use when creating a RenderProcessHost for this
  // SiteInstance.
  ProcessReusePolicy process_reuse_policy_;

--- a/content/browser/site_instance_impl_unittest.cc
+++ b/content/browser/site_instance_impl_unittest.cc
--- a/content/public/browser/site_instance.h
+++ b/content/public/browser/site_instance.h
@@ -170,7 +170,9 @@ class CONTENT_EXPORT SiteInstance : public base::RefCounted<SiteInstance> {
                            const GURL& dest_url);
  // Returns the site for the given URL, which includes only the scheme and
-  // registered domain.  Returns an empty GURL if the URL has no host.
+  // registered domain.  Returns an empty GURL if the URL has no host. Prior to
+  // determining the site, |url| is resolved to an effective URL via
+  // ContentBrowserClient::GetEffectiveURL().
  static GURL GetSiteForURL(BrowserContext* context, const GURL& url);
 protected: