SameSite: Strict/Lax behavior.

content/browser/frame_host/render_frame_message_filter.cc

Index: content/browser/frame_host/render_frame_message_filter.cc
diff --git a/content/browser/frame_host/render_frame_message_filter.cc b/content/browser/frame_host/render_frame_message_filter.cc
index 803ce426f4fd58617fe21657165e315d13ca83b6..2e16743d3f549b65b00efed4467898344a5260c2 100644
--- a/content/browser/frame_host/render_frame_message_filter.cc
+++ b/content/browser/frame_host/render_frame_message_filter.cc
@@ -21,6 +21,7 @@
 #include "content/public/common/content_constants.h"
 #include "content/public/common/content_switches.h"
 #include "gpu/GLES2/gl2extchromium.h"
+#include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 #include "net/cookies/cookie_options.h"
 #include "net/cookies/cookie_store.h"
 #include "net/url_request/url_request_context.h"
@@ -394,7 +395,18 @@ void RenderFrameMessageFilter::OnGetCookies(int render_frame_id,
   net::URLRequestContext* context = GetRequestContextForURL(url);
 
   net::CookieOptions options;
-  options.set_include_same_site();
+  if (net::registry_controlled_domains::SameDomainOrHost(
+          url, first_party_for_cookies,
+          net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES)) {
+    // TODO(mkwst): This check ought to further distinguish between frames
+    // initiated in a strict or lax same-site context.,[

[Mike West, 2016/03/18 14:27:17]

Honestly, I need to think about whether or not this is a bug. I think it is, but
maybe the behavior makes sense? Idunno. It's not clear that we need to reason
about the initiator after we've already opened and rendered a document.

[mmenke, 2016/03/18 15:58:12]

My feeling is that the cookies we send while requesting the HTML file should
exactly match the cookies that the HTML file can access, modulo new cookies and
expiring cookies.  Anything else seems weird to me.

If the thinking is that the iframe knows its an iframe, and can behavior
correspondingly, seems like we could just send that information as a request
header instead of a new SameSite value - that makes the cookie security model
consistent.  If the idea is we should hide cookies based on the "initiator",
seems like should be defined the same way for HTTP and HTML.

[mmenke, 2016/03/18 15:58:13]

nit:  Remove the ",["

+    options.set_same_site_cookie_mode(
+        net::CookieOptions::SameSiteCookieMode::INCLUDE_STRICT_AND_LAX);
+  } else {
+    options.set_same_site_cookie_mode(
+        net::CookieOptions::SameSiteCookieMode::DO_NOT_INCLUDE);
+  }
+
   context->cookie_store()->GetCookieListWithOptionsAsync(
       url, options,
       base::Bind(&RenderFrameMessageFilter::CheckPolicyForCookies, this,