[downloads] Set initiator when handling downloads via a[download]

content/browser/download/download_request_core.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/download/download_request_core.h"
 
 #include <string>
 
 #include "base/bind.h"
 #include "base/callback_helpers.h"
@@ skipping 163 matching lines @@
     // the server return the entire entity if the validator doesn't match.
     // Last-Modified can be used in the absence of ETag as a validator if the
     // response headers satisfied the HttpUtil::HasStrongValidators() predicate.
     //
     // This function assumes that HasStrongValidators() was true and that the
     // ETag and Last-Modified header values supplied are valid.
     request->SetExtraRequestHeaderByName(
         "If-Range", has_etag ? params->etag() : params->last_modified(), true);
   }
 
+  // Downloads are treated as top level navigations. Hence the first-party
+  // origin for cookies is always based on the target URL and is updated on
+  // redirects.
+  request->set_first_party_for_cookies(params->url());
+  request->set_first_party_url_policy(
+      net::URLRequest::UPDATE_FIRST_PARTY_URL_ON_REDIRECT);
+  request->set_initiator(params->initiator());

[clamy, 2016/12/14 16:25:38]

Sanity check: Does this happen before or after
URLRequestHttpJob::AddCookieHeaderAndStart? If before, the initiator won't
necessarily be the same as url & first_party_for_cookies, meaning that we may
not set the strict cookies. Is that ok?

[asanka, 2016/12/14 18:21:29]

Yup. This happens prior to request->Start() being called. The URLRequestJob
substrates including URLRequestHttpJob are only instantiated after
URLRequest::Start() is called. The request is started only after it is handed
over to the ResourceLoader stack or URLDownloader. We are just setting up the
URLRequest at this stage.

The initiator and first_party_for_cookies can be different for downloads that
cross origins. SameSite=Strict cookies not being sent for these requests is the
intended effect.

+
   for (const auto& header : params->request_headers())
     request->SetExtraRequestHeaderByName(header.first, header.second,
                                          false /*overwrite*/);
 
   DownloadRequestData::Attach(request.get(), params, download_id);
   return request;
 }
 
 DownloadRequestCore::DownloadRequestCore(net::URLRequest* request,
                                          Delegate* delegate)
@@ skipping 433 matching lines @@
     return DOWNLOAD_INTERRUPT_REASON_NONE;
   }
 
   if (http_headers.response_code() == net::HTTP_PARTIAL_CONTENT)
     return DOWNLOAD_INTERRUPT_REASON_SERVER_BAD_CONTENT;
 
   return DOWNLOAD_INTERRUPT_REASON_NONE;
 }
 
 }  // namespace content