Make DocumentThreadableLoader's cross origin logic clearer in terms of layering

third_party/WebKit/Source/core/fetch/FetchRequest.cpp

Index: third_party/WebKit/Source/core/fetch/FetchRequest.cpp
diff --git a/third_party/WebKit/Source/core/fetch/FetchRequest.cpp b/third_party/WebKit/Source/core/fetch/FetchRequest.cpp
index 55982ed65f2def4f266e6b7525cc6e149cbf1b02..6fd3174a814e996ebad61533031d3ef37e6f2d5e 100644
--- a/third_party/WebKit/Source/core/fetch/FetchRequest.cpp
+++ b/third_party/WebKit/Source/core/fetch/FetchRequest.cpp
@@ -105,17 +105,24 @@ void FetchRequest::setCrossOriginAccessControl(
       useCredentials ? WebURLRequest::FetchCredentialsModeInclude
                      : WebURLRequest::FetchCredentialsModeSameOrigin);
 
-  m_options.allowCredentials = (isSameOriginRequest || useCredentials)
-                                   ? AllowStoredCredentials
-                                   : DoNotAllowStoredCredentials;
+  if (isSameOriginRequest || useCredentials) {
+    m_options.allowCredentials = AllowStoredCredentials;
+    m_resourceRequest.setAllowStoredCredentials(true);
+  } else {
+    m_options.allowCredentials = DoNotAllowStoredCredentials;
+    m_resourceRequest.setAllowStoredCredentials(false);
+  }
   m_options.corsEnabled = IsCORSEnabled;
   m_options.securityOrigin = origin;
   m_options.credentialsRequested = useCredentials
                                        ? ClientRequestedCredentials
                                        : ClientDidNotRequestCredentials;
 
-  updateRequestForAccessControl(m_resourceRequest, origin,
-                                m_options.allowCredentials);
+  // TODO: Credentials should be removed only when the request is cross origin.
+  m_resourceRequest.removeCredentials();
+
+  if (origin)
+    m_resourceRequest.setHTTPOrigin(origin);
 }
 
 void FetchRequest::setResourceWidth(ResourceWidth resourceWidth) {