Cross origin requests to same origin should match

third_party/WebKit/Source/core/fetch/ResourceLoaderOptions.h

Index: third_party/WebKit/Source/core/fetch/ResourceLoaderOptions.h
diff --git a/third_party/WebKit/Source/core/fetch/ResourceLoaderOptions.h b/third_party/WebKit/Source/core/fetch/ResourceLoaderOptions.h
index 01c166359647675269fa866b8745f02d37723981..e35e12e5d4acc799d6b26c66f196cad23d80ccd8 100644
--- a/third_party/WebKit/Source/core/fetch/ResourceLoaderOptions.h
+++ b/third_party/WebKit/Source/core/fetch/ResourceLoaderOptions.h
@@ -79,6 +79,11 @@ enum CORSEnabled {
     IsCORSEnabled
 };
 
+enum SameOrigin {
+    NotSameOrigin,
+    IsSameOrigin
+};
+
 struct ResourceLoaderOptions {
     USING_FAST_MALLOC(ResourceLoaderOptions);
 public:
@@ -90,6 +95,7 @@ public:
         , requestInitiatorContext(DocumentContext)
         , synchronousPolicy(RequestAsynchronously)
         , corsEnabled(NotCORSEnabled)
+        , sameOrigin(NotSameOrigin)

[Nate Chapin, 2016/03/17 22:58:18]

This will make non-CORS loads always be marked NotSameOrigin. That seems
strange?

[Yoav Weiss, 2016/03/18 07:53:14]

True. Maybe a third value is needed

     {
     }
 
@@ -106,24 +112,14 @@ public:
         , requestInitiatorContext(requestInitiatorContext)
         , synchronousPolicy(RequestAsynchronously)
         , corsEnabled(NotCORSEnabled)
+        , sameOrigin(NotSameOrigin)
     {
     }
 
     // Answers the question "can a separate request with these
     // different options be re-used" (e.g. preload request)
     // The safe (but possibly slow) answer is always false.
-    bool canReuseRequest(const ResourceLoaderOptions& other) const
-    {
-        // dataBufferingPolicy differences are believed to be safe for re-use.
-        // FIXME: check allowCredentials.
-        // FIXME: check credentialsRequested.
-        // FIXME: check contentSecurityPolicyOption.
-        // initiatorInfo is purely informational and should be benign for re-use.
-        // requestInitiatorContext is benign (indicates document vs. worker)
-        // synchronousPolicy (safe to re-use an async XHR response for sync, etc.)
-        return corsEnabled == other.corsEnabled;
-        // securityOrigin has more complicated checks which callers are responsible for.
-    }
+    bool canReuseRequest(const ResourceLoaderOptions& other) const;
 
     // When adding members, CrossThreadResourceLoaderOptionsData should be
     // updated.
@@ -136,6 +132,7 @@ public:
     SynchronousPolicy synchronousPolicy;
     CORSEnabled corsEnabled; // If the resource is loaded out-of-origin, whether or not to use CORS.
     RefPtr<SecurityOrigin> securityOrigin;
+    SameOrigin sameOrigin;
 };
 
 // Encode AtomicString (in FetchInitiatorInfo) as String to cross threads.
@@ -150,7 +147,8 @@ struct CrossThreadResourceLoaderOptionsData {
         , requestInitiatorContext(options.requestInitiatorContext)
         , synchronousPolicy(options.synchronousPolicy)
         , corsEnabled(options.corsEnabled)
-        , securityOrigin(options.securityOrigin ? options.securityOrigin->isolatedCopy() : nullptr) { }
+        , securityOrigin(options.securityOrigin ? options.securityOrigin->isolatedCopy() : nullptr)
+        , sameOrigin(options.sameOrigin) { }
 
     operator ResourceLoaderOptions() const
     {
@@ -164,6 +162,7 @@ struct CrossThreadResourceLoaderOptionsData {
         options.synchronousPolicy = synchronousPolicy;
         options.corsEnabled = corsEnabled;
         options.securityOrigin = securityOrigin;
+        options.sameOrigin = sameOrigin;
         return options;
     }
 
@@ -176,6 +175,7 @@ struct CrossThreadResourceLoaderOptionsData {
     SynchronousPolicy synchronousPolicy;
     CORSEnabled corsEnabled;
     RefPtr<SecurityOrigin> securityOrigin;
+    SameOrigin sameOrigin;
 };
 
 template <>