Ignore memory threshold when password site isolation is overridden manually.

This CL fixes the undesirable behavior where manually enabling password site isolation from chrome://flags didn't take effect if the user's device was below the site isolation memory threshold. The same also affected strict origin isolation, which is also fixed. (Strict site isolation and IsolateOrigins are not affected because they map to cmdline switches rather than base::Features.) Bug: 1009828 Change-Id: Ibdfbca5ed1e2216e347e15a18c71ceaeafe2da03 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1845667 Commit-Queue: Alex Moshchuk <alexmos@chromium.org> Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Cr-Commit-Position: refs/heads/master@{#704496}

Ignore memory threshold when password site isolation is overridden manually.
This CL fixes the undesirable behavior where manually enabling password site isolation from chrome://flags didn't take effect if the user's device was below the site isolation memory threshold. The same also affected strict origin isolation, which is also fixed. (Strict site isolation and IsolateOrigins are not affected because they map to cmdline switches rather than base::Features.) Bug: 1009828 Change-Id: Ibdfbca5ed1e2216e347e15a18c71ceaeafe2da03 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1845667 Commit-Queue: Alex Moshchuk <alexmos@chromium.org> Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Cr-Commit-Position: refs/heads/master@{#704496}
7a737b63 · Alex Moshchuk · Commit Bot · c0159027 · 7a737b63 · 7a737b63
Commit 7a737b63 authored Oct 10, 2019 by Alex Moshchuk Committed by Commit Bot Oct 10, 2019
5 changed files
--- a/chrome/browser/chrome_content_browser_client.cc
+++ b/chrome/browser/chrome_content_browser_client.cc
@@ -1851,30 +1851,7 @@ bool ChromeContentBrowserClient::ShouldEnableStrictSiteIsolation() {
 }
 bool ChromeContentBrowserClient::ShouldDisableSiteIsolation() {
-  // Using 1077 rather than 1024 because 1) it helps ensure that devices with
+  return SiteIsolationPolicy::ShouldDisableSiteIsolationDueToMemoryThreshold();
-  // exactly 1GB of RAM won't get included because of inaccuracies or off-by-one
-  // errors and 2) this is the bucket boundary in Memory.Stats.Win.TotalPhys2.
-  // See also https://crbug.com/844118.
-  constexpr int kDefaultMemoryThresholdMb = 1077;
-  // TODO(acolwell): Rename feature since it now affects more than just the
-  // site-per-process case.
-  if (base::FeatureList::IsEnabled(
-          features::kSitePerProcessOnlyForHighMemoryClients)) {
-    int memory_threshold_mb = base::GetFieldTrialParamByFeatureAsInt(
-        features::kSitePerProcessOnlyForHighMemoryClients,
-        features::kSitePerProcessOnlyForHighMemoryClientsParamName,
-        kDefaultMemoryThresholdMb);
-    return base::SysInfo::AmountOfPhysicalMemoryMB() <= memory_threshold_mb;
-  }
-#if defined(OS_ANDROID)
-  if (base::SysInfo::AmountOfPhysicalMemoryMB() <= kDefaultMemoryThresholdMb) {
-    return true;
-  }
-#endif
-  return false;
 }
 std::vector<std::string>

--- a/chrome/browser/chrome_content_browser_client_browsertest.cc
+++ b/chrome/browser/chrome_content_browser_client_browsertest.cc
--- a/chrome/browser/site_isolation/site_isolation_policy.cc
+++ b/chrome/browser/site_isolation/site_isolation_policy.cc
@@ -16,9 +16,23 @@
 // static
 bool SiteIsolationPolicy::IsIsolationForPasswordSitesEnabled() {
-  // Ignore attempts to add new isolated origins when site isolation is turned
+  // If the user has explicitly enabled site isolation for password sites from
-  // off, for example via a command-line switch, or via a content/ embedder
+  // chrome://flags or from the command line, honor this regardless of policies
-  // that turns site isolation off for low-memory devices.
+  // that may disable site isolation.  In particular, this means that the
+  // chrome://flags switch for this feature takes precedence over any memory
+  // threshold restrictions and over a switch for disabling site isolation.
+  if (base::FeatureList::GetInstance()->IsFeatureOverriddenFromCommandLine(
+          features::kSiteIsolationForPasswordSites.name,
+          base::FeatureList::OVERRIDE_ENABLE_FEATURE)) {
+    return true;
+  }
+  // Don't isolate anything when site isolation is turned off by the user or
+  // policy. This includes things like the switches::kDisableSiteIsolation
+  // command-line switch, the corresponding "Disable site isolation" entry in
+  // chrome://flags, enterprise policy controlled via
+  // switches::kDisableSiteIsolationForPolicy, and memory threshold checks in
+  // ShouldDisableSiteIsolationDueToMemoryThreshold().
  if (!content::SiteIsolationPolicy::AreDynamicIsolatedOriginsEnabled())
    return false;
@@ -42,6 +56,34 @@ bool SiteIsolationPolicy::IsEnterprisePolicyApplicable() {
 #endif
 }
+// static
+bool SiteIsolationPolicy::ShouldDisableSiteIsolationDueToMemoryThreshold() {
+  // Using 1077 rather than 1024 because 1) it helps ensure that devices with
+  // exactly 1GB of RAM won't get included because of inaccuracies or off-by-one
+  // errors and 2) this is the bucket boundary in Memory.Stats.Win.TotalPhys2.
+  // See also https://crbug.com/844118.
+  constexpr int kDefaultMemoryThresholdMb = 1077;
+  // TODO(acolwell): Rename feature since it now affects more than just the
+  // site-per-process case.
+  if (base::FeatureList::IsEnabled(
+          features::kSitePerProcessOnlyForHighMemoryClients)) {
+    int memory_threshold_mb = base::GetFieldTrialParamByFeatureAsInt(
+        features::kSitePerProcessOnlyForHighMemoryClients,
+        features::kSitePerProcessOnlyForHighMemoryClientsParamName,
+        kDefaultMemoryThresholdMb);
+    return base::SysInfo::AmountOfPhysicalMemoryMB() <= memory_threshold_mb;
+  }
+#if defined(OS_ANDROID)
+  if (base::SysInfo::AmountOfPhysicalMemoryMB() <= kDefaultMemoryThresholdMb) {
+    return true;
+  }
+#endif
+  return false;
+}
 // static
 void SiteIsolationPolicy::ApplyPersistedIsolatedOrigins(Profile* profile) {
  // If the user turned off password-triggered isolation, don't apply any

--- a/chrome/browser/site_isolation/site_isolation_policy.h
+++ b/chrome/browser/site_isolation/site_isolation_policy.h
@@ -31,6 +31,15 @@ class SiteIsolationPolicy {
  // have been loaded.
  static void ApplyPersistedIsolatedOrigins(Profile* profile);
+  // Determines whether Site Isolation should be disabled because the device
+  // does not have the minimum required amount of memory.
+  //
+  // TODO(alexmos): Currently, the memory threshold is shared for all site
+  // isolation modes, including strict site isolation and password site
+  // isolation.  In the future, some site isolation modes may require their own
+  // memory threshold.
+  static bool ShouldDisableSiteIsolationDueToMemoryThreshold();
 private:
  DISALLOW_IMPLICIT_CONSTRUCTORS(SiteIsolationPolicy);
 };

--- a/content/public/browser/site_isolation_policy.cc
+++ b/content/public/browser/site_isolation_policy.cc
@@ -45,6 +45,8 @@ bool IsSiteIsolationDisabled() {
  }
 #endif
+  // Check with the embedder.  In particular, chrome/ uses this to disable site
+  // isolation when below a memory threshold.
  return GetContentClient() &&
         GetContentClient()->browser()->ShouldDisableSiteIsolation();
 }
@@ -90,6 +92,16 @@ bool SiteIsolationPolicy::AreIsolatedOriginsEnabled() {
 // static
 bool SiteIsolationPolicy::IsStrictOriginIsolationEnabled() {
+  // If the feature is explicitly enabled by the user (e.g., from
+  // chrome://flags), honor this regardless of checks to disable site isolation
+  // below.  This means this takes precedence over memory thresholds or
+  // switches to disable site isolation.
+  if (base::FeatureList::GetInstance()->IsFeatureOverriddenFromCommandLine(
+          features::kStrictOriginIsolation.name,
+          base::FeatureList::OVERRIDE_ENABLE_FEATURE)) {
+    return true;
+  }
  // TODO(wjmaclean): Figure out what should happen when this feature is
  // combined with --isolate-origins.
  if (IsSiteIsolationDisabled())