Teach URLRequest about initiator checks for First-Party-Only cookies.

net/url_request/url_request.h

Index: net/url_request/url_request.h
diff --git a/net/url_request/url_request.h b/net/url_request/url_request.h
index f685cf76e7bb23fe2c0f93b28c687cd61cacc71a..5261d607942152ca900f8a5c3f489571a53f8cb2 100644
--- a/net/url_request/url_request.h
+++ b/net/url_request/url_request.h
@@ -42,6 +42,10 @@ class StackTrace;
 }  // namespace debug
 }  // namespace base
 
+namespace url {
+class Origin;
+}
+
 namespace net {
 
 class ChunkedUploadDataStream;
@@ -252,7 +256,8 @@ class NET_EXPORT URLRequest : NON_EXPORTED_BASE(public base::NonThreadSafe),
   const GURL& url() const { return url_chain_.back(); }
 
   // The URL that should be consulted for the third-party cookie blocking
-  // policy.
+  // policy, as defined in Section 2.1.1 and 2.1.2 of
+  // https://tools.ietf.org/html/draft-west-first-party-cookies.
   //
   // WARNING: This URL must only be used for the third-party cookie blocking
   //          policy. It MUST NEVER be used for any kind of SECURITY check.
@@ -282,12 +287,36 @@ class NET_EXPORT URLRequest : NON_EXPORTED_BASE(public base::NonThreadSafe),
   }
   void set_first_party_url_policy(FirstPartyURLPolicy first_party_url_policy);
 
+  // The origin of the context which initiated the request. This is distinct
+  // from the "first party for cookies" discussed above in a number of ways:
+  //
+  // 1. The request's initiator does not change during a redirect. If a form
+  //    submission from `https://example.com/` redirects through a number of
+  //    sites

[mmenke, 2015/10/22 19:41:05]

nit:  Reformat

[Mike West, 2016/01/13 08:10:21]

Yikes. Thanks!

+  //    before landing on `https://not-example.com/`, the initiator for each of
+  //    those requests will be `https://example.com/`.
+  //
+  // 2. The request's initiator is the origin of the frame or worker which made
+  //    the request, even for top-level navigations. That is, if
+  //    `https://example.com/`'s form submission is made in the top-level frame,
+  //    the first party for cookies would be the target URL's origin. The
+  //    initiator remains `https://example.com/`.
+  //
+  // This value is used to perform the cross-origin check specified in Section
+  // 4.3 of https://tools.ietf.org/html/draft-west-first-party-cookies.

[mmenke, 2015/10/22 19:41:05]

Thanks for the detailed description!

+  const url::Origin& initiator() const { return initiator_; }
+  // This method may only be called before Start().
+  void set_initiator(const url::Origin& initiator);
+
   // The request method, as an uppercase string.  "GET" is the default value.
   // The request method may only be changed before Start() is called and
   // should only be assigned an uppercase value.
   const std::string& method() const { return method_; }
   void set_method(const std::string& method);
 
+  // True if the request method is "safe" (per section 4.2.1 of RFC 7231).
+  bool IsMethodSafe() const;
+
   // The referrer URL for the request.  This header may actually be suppressed
   // from the underlying network request for security reasons (e.g., a HTTPS
   // URL will not be sent as the referrer for a HTTP request).  The referrer
@@ -759,6 +788,7 @@ class NET_EXPORT URLRequest : NON_EXPORTED_BASE(public base::NonThreadSafe),
 
   std::vector<GURL> url_chain_;
   GURL first_party_for_cookies_;
+  url::Origin initiator_;
   GURL delegate_redirect_url_;
   std::string method_;  // "GET", "POST", etc. Should be all uppercase.
   std::string referrer_;