Allow IsolatedOrigins to be merged from enterprise policy and field trials |
|||||||||||
Issue descriptionCurrently, we don't merge values of IsolateOrigins that are specified by --isolate-origins, enterprise policy, and field trial experiments. Enterprise policy gets priority, which means that we can't run experiments to isolate additional origins when the enterprise policy is in effect. While field trials shouldn't be allowed to overwrite the enterprise policy list for security reasons, they should be able to specify additional isolated origins to be merged with the enterprise policy list.
,
Oct 15
,
Oct 15
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f886ee2a7a16d004d86c5dd10b922bc5cc1089ac commit f886ee2a7a16d004d86c5dd10b922bc5cc1089ac Author: Alex Moshchuk <alexmos@chromium.org> Date: Mon Oct 15 20:11:54 2018 Merge isolated origins from cmdline flag and field trials. Previously, specifying the --isolate-origins command-line flag prevented any field trials involving the IsolateOrigins feature from specifying additional isolated origins. This meant that it's not possible to experiment with additional isolated origins via field trials when an IsolateOrigins enterprise policy is in effect. This CL changes the logic to instead merge any isolated origins specified in field trials with those specified by the cmdline flag. Bug: 894535 Change-Id: If38fe3280dad7f4af3d8b5383556239493ffc7f3 Reviewed-on: https://chromium-review.googlesource.com/c/1279414 Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Commit-Queue: Alex Moshchuk <alexmos@chromium.org> Cr-Commit-Position: refs/heads/master@{#599730} [modify] https://crrev.com/f886ee2a7a16d004d86c5dd10b922bc5cc1089ac/content/browser/isolated_origin_browsertest.cc [modify] https://crrev.com/f886ee2a7a16d004d86c5dd10b922bc5cc1089ac/content/public/browser/site_isolation_policy.cc
,
Oct 19
Verified that this is working on Mac Canary 72.0.3584.0, with the following command-line flags: --isolate-origins=https://csreis.github.io --enable-features="IsolateOrigins<Foo" --force-fieldtrials=Foo/Enabled --force-fieldtrial-params=Foo.Enabled:OriginsList/https%3A%2F%2Fmail.google.com%2Chttps%3A%2F%2Fhangouts.google.com This isolates csreis.github.io via --isolate-origins and also creates a fake field study that adds two isolated origins, mail.google.com and hangouts.google.com. The latter two origins take effect even though --isolate-origins is present, as verified by going to mail.google.com and observing subframe processes in task manager. chrome://process-internals correctly shows four isolated origins (the three origins here plus accounts.google.com). Also verified on Windows canary with enterprise IsolateOrigins policy in effect.
,
Oct 31
Requesting merge for M71: - This is a fairly simple and well-contained change that should be safe. - This will allow us to run finer-grained IsolateOrigins experiments in M71, even when an IsolateOrigins enterprise policy is present (see go/gsuite-origin-isolation, internal only). - This might also help with current site isolation trials of IsolateOrigins for Android users who are covered by an active IsolateOrigins enterprise policy. Previously, having an enterprise policy meant that the field trial origins wouldn't be used at all (effectively excluding all Googlers, for example).
,
Oct 31
This bug requires manual review: M71 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: benmason@(Android), kariahda@(iOS), kbleicher@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 31
Approving merge to M71 branch 3578 based on comment #5. Pls merge ASAP. Thank you.
,
Oct 31
I can help with the merge.
,
Oct 31
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/30efe78b839d3a12a601bdae7143b3845c26085b Commit: 30efe78b839d3a12a601bdae7143b3845c26085b Author: lukasza@chromium.org Commiter: lukasza@chromium.org Date: 2018-10-31 19:58:24 +0000 UTC [M71] Merge isolated origins from cmdline flag and field trials. Previously, specifying the --isolate-origins command-line flag prevented any field trials involving the IsolateOrigins feature from specifying additional isolated origins. This meant that it's not possible to experiment with additional isolated origins via field trials when an IsolateOrigins enterprise policy is in effect. This CL changes the logic to instead merge any isolated origins specified in field trials with those specified by the cmdline flag. TBR=alexmos@chromium.org (cherry picked from commit f886ee2a7a16d004d86c5dd10b922bc5cc1089ac) Bug: 894535 Change-Id: If38fe3280dad7f4af3d8b5383556239493ffc7f3 Reviewed-on: https://chromium-review.googlesource.com/c/1279414 Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Commit-Queue: Alex Moshchuk <alexmos@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#599730} Reviewed-on: https://chromium-review.googlesource.com/c/1311114 Cr-Commit-Position: refs/branch-heads/3578@{#436} Cr-Branched-From: 4226ddf99103e493d7afb23a4c7902ee496108b6-refs/heads/master@{#599034}
,
Oct 31
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/30efe78b839d3a12a601bdae7143b3845c26085b commit 30efe78b839d3a12a601bdae7143b3845c26085b Author: Lukasz Anforowicz <lukasza@chromium.org> Date: Wed Oct 31 19:58:24 2018 [M71] Merge isolated origins from cmdline flag and field trials. Previously, specifying the --isolate-origins command-line flag prevented any field trials involving the IsolateOrigins feature from specifying additional isolated origins. This meant that it's not possible to experiment with additional isolated origins via field trials when an IsolateOrigins enterprise policy is in effect. This CL changes the logic to instead merge any isolated origins specified in field trials with those specified by the cmdline flag. TBR=alexmos@chromium.org (cherry picked from commit f886ee2a7a16d004d86c5dd10b922bc5cc1089ac) Bug: 894535 Change-Id: If38fe3280dad7f4af3d8b5383556239493ffc7f3 Reviewed-on: https://chromium-review.googlesource.com/c/1279414 Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Commit-Queue: Alex Moshchuk <alexmos@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#599730} Reviewed-on: https://chromium-review.googlesource.com/c/1311114 Cr-Commit-Position: refs/branch-heads/3578@{#436} Cr-Branched-From: 4226ddf99103e493d7afb23a4c7902ee496108b6-refs/heads/master@{#599034} [modify] https://crrev.com/30efe78b839d3a12a601bdae7143b3845c26085b/content/browser/isolated_origin_browsertest.cc [modify] https://crrev.com/30efe78b839d3a12a601bdae7143b3845c26085b/content/public/browser/site_isolation_policy.cc
,
Oct 31
Thanks for the merge, Lukasz!
,
Jan 9
|
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by alex...@chromium.org
, Oct 11