WIP: Teach "First-Party-Only" cookies about the requestor origin.

net/cookies/canonical_cookie.cc

Index: net/cookies/canonical_cookie.cc
diff --git a/net/cookies/canonical_cookie.cc b/net/cookies/canonical_cookie.cc
index eae8298fc78e69eb4225739c5c220222012068f4..6297b9647b9db5259aae34a3b7a4ed0a3e1dd325 100644
--- a/net/cookies/canonical_cookie.cc
+++ b/net/cookies/canonical_cookie.cc
@@ -51,6 +51,7 @@
 #include "net/cookies/cookie_util.h"
 #include "net/cookies/parsed_cookie.h"
 #include "url/gurl.h"
+#include "url/origin.h"
 #include "url/url_canon.h"
 
 using base::Time;
@@ -404,12 +405,17 @@ bool CanonicalCookie::IncludeForRequestURL(const GURL& url,
   if (!IsOnPath(url.path()))
     return false;
 
-  // Include first-party-only cookies iff |options| tells us to include all of
-  // them, or if a first-party URL is set and its origin matches the origin of
-  // |url|.
-  if (IsFirstPartyOnly() && !options.include_first_party_only() &&
-      options.first_party_url().GetOrigin() != url.GetOrigin()) {
-    return false;
+  // Include first-party-only cookies if one of the following is true:
+  //
+  // 1. |options| tells us to include all of them
+  // 2. A first-party URL is set and its origin matches the origin of |url|,
+  //    _and_ that first-party URL is same-origin with the requestor origin.
+  if (IsFirstPartyOnly() && !options.include_first_party_only()) {
+    url::Origin first_party(options.first_party_url());
+    url::Origin request(url);
+    if (!first_party.IsSameOriginWith(request) || !options.requestor_origin().IsSameOriginWith(request)) {
+      return false;
+    }
   }
 
   return true;