Index: net/url_request/url_request.h |
diff --git a/net/url_request/url_request.h b/net/url_request/url_request.h |
index ea6a54d3c47e0e55c0a2d60be33afd781996f346..84e0f56f511487c404f4dd11f11f5eea08547328 100644 |
--- a/net/url_request/url_request.h |
+++ b/net/url_request/url_request.h |
@@ -43,6 +43,10 @@ class StackTrace; |
} // namespace debug |
} // namespace base |
+namespace url { |
+class Origin; |
+} |
Mike West
2016/01/13 08:10:22
Dropping this in favor of including the header; th
|
+ |
namespace net { |
class ChunkedUploadDataStream; |
@@ -255,7 +259,8 @@ class NET_EXPORT URLRequest : NON_EXPORTED_BASE(public base::NonThreadSafe), |
const GURL& url() const { return url_chain_.back(); } |
// The URL that should be consulted for the third-party cookie blocking |
- // policy. |
+ // policy, as defined in Section 2.1.1 and 2.1.2 of |
+ // https://tools.ietf.org/html/draft-west-first-party-cookies. |
// |
// WARNING: This URL must only be used for the third-party cookie blocking |
// policy. It MUST NEVER be used for any kind of SECURITY check. |
@@ -285,12 +290,35 @@ class NET_EXPORT URLRequest : NON_EXPORTED_BASE(public base::NonThreadSafe), |
} |
void set_first_party_url_policy(FirstPartyURLPolicy first_party_url_policy); |
+ // The origin of the context which initiated the request. This is distinct |
+ // from the "first party for cookies" discussed above in a number of ways: |
+ // |
+ // 1. The request's initiator does not change during a redirect. If a form |
+ // submission from `https://example.com/` redirects through a number of |
+ // sites before landing on `https://not-example.com/`, the initiator for |
+ // each of those requests will be `https://example.com/`. |
+ // |
+ // 2. The request's initiator is the origin of the frame or worker which made |
+ // the request, even for top-level navigations. That is, if |
+ // `https://example.com/`'s form submission is made in the top-level frame, |
+ // the first party for cookies would be the target URL's origin. The |
+ // initiator remains `https://example.com/`. |
+ // |
+ // This value is used to perform the cross-origin check specified in Section |
+ // 4.3 of https://tools.ietf.org/html/draft-west-first-party-cookies. |
mmenke
2016/01/12 16:20:58
Thanks for this great description!
|
+ const url::Origin& initiator() const { return initiator_; } |
+ // This method may only be called before Start(). |
+ void set_initiator(const url::Origin& initiator); |
+ |
// The request method, as an uppercase string. "GET" is the default value. |
// The request method may only be changed before Start() is called and |
// should only be assigned an uppercase value. |
const std::string& method() const { return method_; } |
void set_method(const std::string& method); |
+ // True if the request method is "safe" (per section 4.2.1 of RFC 7231). |
+ bool IsMethodSafe() const; |
mmenke
2016/01/12 16:20:58
This class already supports a huge API, I don't wa
Mike West
2016/01/13 08:10:22
Done.
Mike West
2016/01/13 08:10:22
Done.
|
+ |
// The referrer URL for the request. This header may actually be suppressed |
// from the underlying network request for security reasons (e.g., a HTTPS |
// URL will not be sent as the referrer for a HTTP request). The referrer |
@@ -766,6 +794,7 @@ class NET_EXPORT URLRequest : NON_EXPORTED_BASE(public base::NonThreadSafe), |
std::vector<GURL> url_chain_; |
GURL first_party_for_cookies_; |
+ url::Origin initiator_; |
GURL delegate_redirect_url_; |
std::string method_; // "GET", "POST", etc. Should be all uppercase. |
std::string referrer_; |