Index: net/url_request/url_request_http_job.cc |
diff --git a/net/url_request/url_request_http_job.cc b/net/url_request/url_request_http_job.cc |
index 47a0666e3fc7ad50225110e7f394da8adf08c83c..6bdde14af72df4d60c1ebb379de28bab4a2bdc78 100644 |
--- a/net/url_request/url_request_http_job.cc |
+++ b/net/url_request/url_request_http_job.cc |
@@ -674,13 +674,20 @@ void URLRequestHttpJob::DoLoadCookies() { |
CookieOptions options; |
options.set_include_httponly(); |
- // TODO(mkwst): Drop this `if` once we decide whether or not to ship |
- // first-party cookies: https://crbug.com/459154 |
- if (network_delegate() && |
- network_delegate()->AreExperimentalCookieFeaturesEnabled()) |
- options.set_first_party(url::Origin(request_->first_party_for_cookies())); |
- else |
- options.set_include_first_party_only(); |
+ // TODO(mkwst): If first-party-only cookies aren't enabled, pretend the |
+ // request is first-party regardless, in order to include all cookies. Drop |
+ // this check once we decide whether or not we're shipping this feature: |
+ // https://crbug.com/459154 |
+ url::Origin origin(request_->url()); |
+ if (!network_delegate() || |
+ !network_delegate()->AreExperimentalCookieFeaturesEnabled()) { |
+ options.set_include_first_party_only_cookies(); |
+ } else if (origin.IsSameOriginWith( |
+ url::Origin(request_->first_party_for_cookies())) && |
+ (request_->IsMethodSafe() || |
+ origin.IsSameOriginWith(request_->initiator()))) { |
mmenke
2016/01/12 16:20:58
So for "unsafe" requests without an initiator set,
Mike West
2016/01/13 08:10:22
Well, we can decide how this ought to work. Since
mmenke
2016/01/13 16:30:16
This sounds reasonable.
|
+ options.set_include_first_party_only_cookies(); |
+ } |
request_->context()->cookie_store()->GetCookiesWithOptionsAsync( |
request_->url(), options, base::Bind(&URLRequestHttpJob::OnCookiesLoaded, |