Teach URLRequest about initiator checks for First-Party-Only cookies.

net/url_request/url_request_http_job.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/url_request/url_request_http_job.h"
 
 #include "base/base_switches.h"
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/command_line.h"
@@ skipping 656 matching lines @@
                    weak_factory_.GetWeakPtr()));
   } else {
     DoStartTransaction();
   }
 }
 
 void URLRequestHttpJob::DoLoadCookies() {
   CookieOptions options;
   options.set_include_httponly();
 
-  // TODO(mkwst): Drop this `if` once we decide whether or not to ship
-  // first-party cookies: https://crbug.com/459154
-  if (network_delegate() &&
-      network_delegate()->AreExperimentalCookieFeaturesEnabled())
-    options.set_first_party(url::Origin(request_->first_party_for_cookies()));
-  else
-    options.set_include_first_party_only();
+  // TODO(mkwst): If first-party-only cookies aren't enabled, pretend the
+  // request is first-party regardless, in order to include all cookies. Drop
+  // this check once we decide whether or not we're shipping this feature:
+  // https://crbug.com/459154
+  url::Origin origin(request_->url());
+  if (!network_delegate() ||
+      !network_delegate()->AreExperimentalCookieFeaturesEnabled()) {
+    options.set_include_first_party_only_cookies();
+  } else if (origin.IsSameOriginWith(
+                 url::Origin(request_->first_party_for_cookies())) &&
+             (request_->IsMethodSafe() ||
+              origin.IsSameOriginWith(request_->initiator()))) {

[mmenke, 2016/01/12 16:20:58]

So for "unsafe" requests without an initiator set, we'll never send first party
only cookies?  I'm not concerned about this effect on requests from the
renderer, but this also affects all internal requests issues by Chrome.

Are we not sending first party cookies for those, anyways, because
first_party_for_cookies isn't set by (most/all?) callers, and by default, we
don't update it on redirects?

[Mike West, 2016/01/13 08:10:22]

Well, we can decide how this ought to work. Since we're not actually using
first-party-only cookies for any service that internal requests issue at the
moment, I think I'd prefer to err on the side of not sending the cookies if the
initiator isn't set, as that means that things fail closed if I've screwed up
some piece of the renderer side. If we decide that we need first-party-only
cookies for some service, then that service can/should ensure that requests it
makes have a reasonable initiator.

WDYT?

[mmenke, 2016/01/13 16:30:16]

This sounds reasonable.

+    options.set_include_first_party_only_cookies();
+  }
 
   request_->context()->cookie_store()->GetCookiesWithOptionsAsync(
       request_->url(), options, base::Bind(&URLRequestHttpJob::OnCookiesLoaded,
                                            weak_factory_.GetWeakPtr()));
 }
 
 void URLRequestHttpJob::CheckCookiePolicyAndLoad(
     const CookieList& cookie_list) {
   if (CanGetCookies(cookie_list))
     DoLoadCookies();
@@ skipping 916 matching lines @@
   return override_response_headers_.get() ?
              override_response_headers_.get() :
              transaction_->GetResponseInfo()->headers.get();
 }
 
 void URLRequestHttpJob::NotifyURLRequestDestroyed() {
   awaiting_callback_ = false;
 }
 
 }  // namespace net