Index: net/cookies/canonical_cookie.cc |
diff --git a/net/cookies/canonical_cookie.cc b/net/cookies/canonical_cookie.cc |
index eae8298fc78e69eb4225739c5c220222012068f4..6297b9647b9db5259aae34a3b7a4ed0a3e1dd325 100644 |
--- a/net/cookies/canonical_cookie.cc |
+++ b/net/cookies/canonical_cookie.cc |
@@ -51,6 +51,7 @@ |
#include "net/cookies/cookie_util.h" |
#include "net/cookies/parsed_cookie.h" |
#include "url/gurl.h" |
+#include "url/origin.h" |
#include "url/url_canon.h" |
using base::Time; |
@@ -404,12 +405,17 @@ bool CanonicalCookie::IncludeForRequestURL(const GURL& url, |
if (!IsOnPath(url.path())) |
return false; |
- // Include first-party-only cookies iff |options| tells us to include all of |
- // them, or if a first-party URL is set and its origin matches the origin of |
- // |url|. |
- if (IsFirstPartyOnly() && !options.include_first_party_only() && |
- options.first_party_url().GetOrigin() != url.GetOrigin()) { |
- return false; |
+ // Include first-party-only cookies if one of the following is true: |
+ // |
+ // 1. |options| tells us to include all of them |
+ // 2. A first-party URL is set and its origin matches the origin of |url|, |
+ // _and_ that first-party URL is same-origin with the requestor origin. |
+ if (IsFirstPartyOnly() && !options.include_first_party_only()) { |
+ url::Origin first_party(options.first_party_url()); |
+ url::Origin request(url); |
+ if (!first_party.IsSameOriginWith(request) || !options.requestor_origin().IsSameOriginWith(request)) { |
+ return false; |
+ } |
} |
return true; |