Teach URLRequest about initiator checks for First-Party-Only cookies.

net/url_request/url_request.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_URL_REQUEST_URL_REQUEST_H_
 #define NET_URL_REQUEST_URL_REQUEST_H_
 
 #include <stdint.h>
 
 #include <string>
@@ skipping 24 matching lines @@
 #include "url/gurl.h"
 
 namespace base {
 class Value;
 
 namespace debug {
 class StackTrace;
 }  // namespace debug
 }  // namespace base
 
+namespace url {
+class Origin;
+}
+
 namespace net {
 
 class ChunkedUploadDataStream;
 class CookieOptions;
 class HostPortPair;
 class IOBuffer;
 struct LoadTimingInfo;
 struct RedirectInfo;
 class SSLCertRequestInfo;
 class SSLInfo;
@@ skipping 190 matching lines @@
 
   // The original url is the url used to initialize the request, and it may
   // differ from the url if the request was redirected.
   const GURL& original_url() const { return url_chain_.front(); }
   // The chain of urls traversed by this request.  If the request had no
   // redirects, this vector will contain one element.
   const std::vector<GURL>& url_chain() const { return url_chain_; }
   const GURL& url() const { return url_chain_.back(); }
 
   // The URL that should be consulted for the third-party cookie blocking
-  // policy.
+  // policy, as defined in Section 2.1.1 and 2.1.2 of
+  // https://tools.ietf.org/html/draft-west-first-party-cookies.
   //
   // WARNING: This URL must only be used for the third-party cookie blocking
   //          policy. It MUST NEVER be used for any kind of SECURITY check.
   //
   //          For example, if a top-level navigation is redirected, the
   //          first-party for cookies will be the URL of the first URL in the
   //          redirect chain throughout the whole redirect. If it was used for
   //          a security check, an attacker might try to get around this check
   //          by starting from some page that redirects to the
   //          host-to-be-attacked.
   //
   // TODO(mkwst): Convert this to a 'url::Origin'. Several callsites are using
   // this value as a proxy for the "top-level frame URL", which is simply
   // incorrect and fragile. We don't need the full URL for any //net checks,
   // so we should drop the pieces we don't need.
   const GURL& first_party_for_cookies() const {
     return first_party_for_cookies_;
   }
   // This method may only be called before Start().
   void set_first_party_for_cookies(const GURL& first_party_for_cookies);
 
   // The first-party URL policy to apply when updating the first party URL
   // during redirects. The first-party URL policy may only be changed before
   // Start() is called.
   FirstPartyURLPolicy first_party_url_policy() const {
     return first_party_url_policy_;
   }
   void set_first_party_url_policy(FirstPartyURLPolicy first_party_url_policy);
 
+  // The origin of the context which initiated the request. This is distinct
+  // from the "first party for cookies" discussed above in a number of ways:
+  //
+  // 1. The request's initiator does not change during a redirect. If a form
+  //    submission from `https://example.com/` redirects through a number of
+  //    sites

[mmenke, 2015/10/22 19:41:05]

nit:  Reformat

[Mike West, 2016/01/13 08:10:21]

Yikes. Thanks!

+  //    before landing on `https://not-example.com/`, the initiator for each of
+  //    those requests will be `https://example.com/`.
+  //
+  // 2. The request's initiator is the origin of the frame or worker which made
+  //    the request, even for top-level navigations. That is, if
+  //    `https://example.com/`'s form submission is made in the top-level frame,
+  //    the first party for cookies would be the target URL's origin. The
+  //    initiator remains `https://example.com/`.
+  //
+  // This value is used to perform the cross-origin check specified in Section
+  // 4.3 of https://tools.ietf.org/html/draft-west-first-party-cookies.

[mmenke, 2015/10/22 19:41:05]

Thanks for the detailed description!

+  const url::Origin& initiator() const { return initiator_; }
+  // This method may only be called before Start().
+  void set_initiator(const url::Origin& initiator);
+
   // The request method, as an uppercase string.  "GET" is the default value.
   // The request method may only be changed before Start() is called and
   // should only be assigned an uppercase value.
   const std::string& method() const { return method_; }
   void set_method(const std::string& method);
 
+  // True if the request method is "safe" (per section 4.2.1 of RFC 7231).
+  bool IsMethodSafe() const;
+
   // The referrer URL for the request.  This header may actually be suppressed
   // from the underlying network request for security reasons (e.g., a HTTPS
   // URL will not be sent as the referrer for a HTTP request).  The referrer
   // may only be changed before Start() is called.
   const std::string& referrer() const { return referrer_; }
   // Referrer is sanitized to remove URL fragment, user name and password.
   void SetReferrer(const std::string& referrer);
 
   // The referrer policy to apply when updating the referrer during redirects.
   // The referrer policy may only be changed before Start() is called.
@@ skipping 451 matching lines @@
   BoundNetLog net_log_;
 
   scoped_refptr<URLRequestJob> job_;
   scoped_ptr<UploadDataStream> upload_data_stream_;
   // TODO(mmenke):  Make whether or not an upload is chunked transparent to the
   // URLRequest.
   ChunkedUploadDataStream* upload_chunked_data_stream_;
 
   std::vector<GURL> url_chain_;
   GURL first_party_for_cookies_;
+  url::Origin initiator_;
   GURL delegate_redirect_url_;
   std::string method_;  // "GET", "POST", etc. Should be all uppercase.
   std::string referrer_;
   ReferrerPolicy referrer_policy_;
   FirstPartyURLPolicy first_party_url_policy_;
   HttpRequestHeaders extra_request_headers_;
   int load_flags_;  // Flags indicating the request type for the load;
                     // expected values are LOAD_* enums above.
 
   // Never access methods of the |delegate_| directly. Always use the
@@ skipping 82 matching lines @@
   HostPortPair proxy_server_;
 
   scoped_ptr<const base::debug::StackTrace> stack_trace_;
 
   DISALLOW_COPY_AND_ASSIGN(URLRequest);
 };
 
 }  // namespace net
 
 #endif  // NET_URL_REQUEST_URL_REQUEST_H_