Teach URLRequest about initiator checks for First-Party-Only cookies.

content/renderer/render_frame_impl.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/render_frame_impl.h"
 
 #include <map>
 #include <string>
 
 #include "base/auto_reset.h"
@@ skipping 3206 matching lines @@
     blink::WebLocalFrame* frame,
     unsigned identifier,
     blink::WebURLRequest& request,
     const blink::WebURLResponse& redirect_response) {
   DCHECK(!frame_ || frame_ == frame);
   // The request my be empty during tests.
   if (request.url().isEmpty())
     return;
 
   // Set the first party for cookies url if it has not been set yet (new
   // requests). For redirects, it is updated by WebURLLoaderImpl.

[estark, 2015/10/20 23:41:58]

Is this comment true? In WebURLLoaderImpl I only see a TODO about this:
https://code.google.com/p/chromium/codesearch#chromium/src/components/html_vi...

[Mike West, 2015/10/22 13:17:02]

It's certainly true that we update the first party for a URLRequest during
redirects in URLRequestJob::ComputeRedirectInfo (controlled via the request's
`URLRequest::FirstPartyURLPolicy` enum). I guess things moved around since this
comment was written? I can update it to be less specific. :)

   if (request.firstPartyForCookies().isEmpty()) {
     if (request.frameType() == blink::WebURLRequest::FrameTypeTopLevel) {
       request.setFirstPartyForCookies(request.url());
     } else {
       // TODO(nasko): When the top-level frame is remote, there is no document.
       // This is broken and should be fixed to propagate the first party.
       WebFrame* top = frame->top();
       if (top->isWebLocalFrame()) {
         request.setFirstPartyForCookies(
             frame->top()->document().firstPartyForCookies());
       }
     }
+
+    // If the first-party isn't set, we need to set the first-party state as

[estark, 2015/10/20 23:41:58]

This comment isn't parsing for me. Is it possible that "first-party state" is
supposed to say "requestor origin" or something like that? Or is that what
first-party state means? I guess what I'm saying is that I'm confused. :)

[Mike West, 2015/10/22 13:17:02]

Yup. I can't type, obviously. Fixing the comment.

+    // well; it will not be updated during redirects.
+    request.setRequestorOrigin(frame->document().securityOrigin());
   }
 
   WebDataSource* provisional_data_source = frame->provisionalDataSource();
   WebDataSource* data_source =
       provisional_data_source ? provisional_data_source : frame->dataSource();
 
   DocumentState* document_state = DocumentState::FromDataSource(data_source);
   DCHECK(document_state);
   InternalDocumentStateData* internal_data =
       InternalDocumentStateData::FromDocumentState(document_state);
@@ skipping 1944 matching lines @@
   mojo::ServiceProviderPtr service_provider;
   mojo::URLRequestPtr request(mojo::URLRequest::New());
   request->url = mojo::String::From(url);
   mojo_shell_->ConnectToApplication(request.Pass(), GetProxy(&service_provider),
                                     nullptr, nullptr,
                                     base::Bind(&OnGotContentHandlerID));
   return service_provider.Pass();
 }
 
 }  // namespace content