Teach URLRequest about initiator checks for First-Party-Only cookies.

net/url_request/url_request_http_job.cc

Index: net/url_request/url_request_http_job.cc
diff --git a/net/url_request/url_request_http_job.cc b/net/url_request/url_request_http_job.cc
index 47a0666e3fc7ad50225110e7f394da8adf08c83c..6bdde14af72df4d60c1ebb379de28bab4a2bdc78 100644
--- a/net/url_request/url_request_http_job.cc
+++ b/net/url_request/url_request_http_job.cc
@@ -674,13 +674,20 @@ void URLRequestHttpJob::DoLoadCookies() {
   CookieOptions options;
   options.set_include_httponly();
 
-  // TODO(mkwst): Drop this `if` once we decide whether or not to ship
-  // first-party cookies: https://crbug.com/459154
-  if (network_delegate() &&
-      network_delegate()->AreExperimentalCookieFeaturesEnabled())
-    options.set_first_party(url::Origin(request_->first_party_for_cookies()));
-  else
-    options.set_include_first_party_only();
+  // TODO(mkwst): If first-party-only cookies aren't enabled, pretend the
+  // request is first-party regardless, in order to include all cookies. Drop
+  // this check once we decide whether or not we're shipping this feature:
+  // https://crbug.com/459154
+  url::Origin origin(request_->url());
+  if (!network_delegate() ||
+      !network_delegate()->AreExperimentalCookieFeaturesEnabled()) {
+    options.set_include_first_party_only_cookies();
+  } else if (origin.IsSameOriginWith(
+                 url::Origin(request_->first_party_for_cookies())) &&
+             (request_->IsMethodSafe() ||
+              origin.IsSameOriginWith(request_->initiator()))) {

[mmenke, 2016/01/12 16:20:58]

So for "unsafe" requests without an initiator set, we'll never send first party
only cookies?  I'm not concerned about this effect on requests from the
renderer, but this also affects all internal requests issues by Chrome.

Are we not sending first party cookies for those, anyways, because
first_party_for_cookies isn't set by (most/all?) callers, and by default, we
don't update it on redirects?

[Mike West, 2016/01/13 08:10:22]

Well, we can decide how this ought to work. Since we're not actually using
first-party-only cookies for any service that internal requests issue at the
moment, I think I'd prefer to err on the side of not sending the cookies if the
initiator isn't set, as that means that things fail closed if I've screwed up
some piece of the renderer side. If we decide that we need first-party-only
cookies for some service, then that service can/should ensure that requests it
makes have a reasonable initiator.

WDYT?

[mmenke, 2016/01/13 16:30:16]

This sounds reasonable.

+    options.set_include_first_party_only_cookies();
+  }
 
   request_->context()->cookie_store()->GetCookiesWithOptionsAsync(
       request_->url(), options, base::Bind(&URLRequestHttpJob::OnCookiesLoaded,