Rename first-party-only cookies to same-site cookies.

net/url_request/url_request_http_job.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/url_request/url_request_http_job.h"
 
 #include "base/base_switches.h"
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/command_line.h"
@@ skipping 653 matching lines @@
   // No matter what, we want to report our status as IO pending since we will
   // be notifying our consumer asynchronously via OnStartCompleted.
   SetStatus(URLRequestStatus(URLRequestStatus::IO_PENDING, 0));
 
   // If the request was destroyed, then there is no more work to do.
   if (!request_)
     return;
 
   CookieStore* cookie_store = request_->context()->cookie_store();
   if (cookie_store && !(request_info_.load_flags & LOAD_DO_NOT_SEND_COOKIES)) {
     cookie_store->GetAllCookiesForURLAsync(

[mmenke, 2016/01/25 18:47:10]

Erm...wait...We get cookies without options, and pass them on to the
embedder...And then we get the cookies with the options, and those are the ones
that we actually use?  Is there a reason for this?

Know this is tangential to this CL, but I'd like to understand what's going on
here.

[mmenke, 2016/01/26 15:08:05]

Do you have any idea about this?  I was unaware of this behavior when I signed
off on your original modifications to DoLoadCookies, so I'm wondering if having
the options stuff only in there is a bug.

[Mike West, 2016/01/26 16:19:13]

Sorry, I missed this comment in the first pass.

I also have no idea why we grab one set of cookies without options, and then
grab another set of cookies with options. I suspect this is a bug. I'll add a
TODO and dig into `git log` to try to figure out when they diverged and whether
there was a reason.

         request_->url(),
         base::Bind(&URLRequestHttpJob::CheckCookiePolicyAndLoad,
                    weak_factory_.GetWeakPtr()));
   } else {
     DoStartTransaction();
   }
 }
 
 void URLRequestHttpJob::DoLoadCookies() {
   CookieOptions options;
   options.set_include_httponly();
 
-  // TODO(mkwst): If first-party-only cookies aren't enabled, pretend the
-  // request is first-party regardless, in order to include all cookies. Drop
-  // this check once we decide whether or not we're shipping this feature:
+  // TODO(mkwst): If same-site cookies aren't enabled, pretend the request is
+  // same-site regardless, in order to include all cookies. Drop this check once
+  // we decide whether or not we're shipping this feature:
   // https://crbug.com/459154
   url::Origin requested_origin(request_->url());
   if (!network_delegate() ||
       !network_delegate()->AreExperimentalCookieFeaturesEnabled()) {
-    options.set_include_first_party_only_cookies();
+    options.set_include_samesite();
   } else if (requested_origin.IsSameOriginWith(
                  url::Origin(request_->first_party_for_cookies())) &&

[mmenke, 2016/01/25 18:47:10]

Should first_party_for_cookies be renamed to same_site_for_cookies?

[Mike West, 2016/01/26 11:05:45]

Maybe. Our UI still talks about blocking "third-party" cookies, but there's
probably value in being consistent with the naming. I'll talk to UI folks. Would
you mind deferring that to a separate discussion/CL?

              (IsMethodSafe(request_->method()) ||
               requested_origin.IsSameOriginWith(request_->initiator()))) {
-    options.set_include_first_party_only_cookies();
+    options.set_include_samesite();
   }
 
   request_->context()->cookie_store()->GetCookiesWithOptionsAsync(
       request_->url(), options, base::Bind(&URLRequestHttpJob::OnCookiesLoaded,
                                            weak_factory_.GetWeakPtr()));
 }
 
 void URLRequestHttpJob::CheckCookiePolicyAndLoad(
     const CookieList& cookie_list) {
   if (CanGetCookies(cookie_list))
@@ skipping 917 matching lines @@
   return override_response_headers_.get() ?
              override_response_headers_.get() :
              transaction_->GetResponseInfo()->headers.get();
 }
 
 void URLRequestHttpJob::NotifyURLRequestDestroyed() {
   awaiting_callback_ = false;
 }
 
 }  // namespace net