Index: net/url_request/url_request.h |
diff --git a/net/url_request/url_request.h b/net/url_request/url_request.h |
index f685cf76e7bb23fe2c0f93b28c687cd61cacc71a..5261d607942152ca900f8a5c3f489571a53f8cb2 100644 |
--- a/net/url_request/url_request.h |
+++ b/net/url_request/url_request.h |
@@ -42,6 +42,10 @@ class StackTrace; |
} // namespace debug |
} // namespace base |
+namespace url { |
+class Origin; |
+} |
+ |
namespace net { |
class ChunkedUploadDataStream; |
@@ -252,7 +256,8 @@ class NET_EXPORT URLRequest : NON_EXPORTED_BASE(public base::NonThreadSafe), |
const GURL& url() const { return url_chain_.back(); } |
// The URL that should be consulted for the third-party cookie blocking |
- // policy. |
+ // policy, as defined in Section 2.1.1 and 2.1.2 of |
+ // https://tools.ietf.org/html/draft-west-first-party-cookies. |
// |
// WARNING: This URL must only be used for the third-party cookie blocking |
// policy. It MUST NEVER be used for any kind of SECURITY check. |
@@ -282,12 +287,36 @@ class NET_EXPORT URLRequest : NON_EXPORTED_BASE(public base::NonThreadSafe), |
} |
void set_first_party_url_policy(FirstPartyURLPolicy first_party_url_policy); |
+ // The origin of the context which initiated the request. This is distinct |
+ // from the "first party for cookies" discussed above in a number of ways: |
+ // |
+ // 1. The request's initiator does not change during a redirect. If a form |
+ // submission from `https://example.com/` redirects through a number of |
+ // sites |
mmenke
2015/10/22 19:41:05
nit: Reformat
Mike West
2016/01/13 08:10:21
Yikes. Thanks!
|
+ // before landing on `https://not-example.com/`, the initiator for each of |
+ // those requests will be `https://example.com/`. |
+ // |
+ // 2. The request's initiator is the origin of the frame or worker which made |
+ // the request, even for top-level navigations. That is, if |
+ // `https://example.com/`'s form submission is made in the top-level frame, |
+ // the first party for cookies would be the target URL's origin. The |
+ // initiator remains `https://example.com/`. |
+ // |
+ // This value is used to perform the cross-origin check specified in Section |
+ // 4.3 of https://tools.ietf.org/html/draft-west-first-party-cookies. |
mmenke
2015/10/22 19:41:05
Thanks for the detailed description!
|
+ const url::Origin& initiator() const { return initiator_; } |
+ // This method may only be called before Start(). |
+ void set_initiator(const url::Origin& initiator); |
+ |
// The request method, as an uppercase string. "GET" is the default value. |
// The request method may only be changed before Start() is called and |
// should only be assigned an uppercase value. |
const std::string& method() const { return method_; } |
void set_method(const std::string& method); |
+ // True if the request method is "safe" (per section 4.2.1 of RFC 7231). |
+ bool IsMethodSafe() const; |
+ |
// The referrer URL for the request. This header may actually be suppressed |
// from the underlying network request for security reasons (e.g., a HTTPS |
// URL will not be sent as the referrer for a HTTP request). The referrer |
@@ -759,6 +788,7 @@ class NET_EXPORT URLRequest : NON_EXPORTED_BASE(public base::NonThreadSafe), |
std::vector<GURL> url_chain_; |
GURL first_party_for_cookies_; |
+ url::Origin initiator_; |
GURL delegate_redirect_url_; |
std::string method_; // "GET", "POST", etc. Should be all uppercase. |
std::string referrer_; |