Index: third_party/WebKit/Source/core/loader/FrameFetchContext.cpp |
diff --git a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp |
index 328a07253fcd822ca3df82a0655cc305f40f15b8..cfdee68040d257ee5c4d741c89daae4f7705f177 100644 |
--- a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp |
+++ b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp |
@@ -296,6 +296,8 @@ void FrameFetchContext::DispatchDidChangeResourcePriority( |
void FrameFetchContext::PrepareRequest(ResourceRequest& request, |
RedirectType redirect_type) { |
+ SetFirstPartyCookieAndRequestorOrigin(request); |
kinuko
2017/06/07 02:00:49
Moved here so this is also called in redirects (so
|
+ |
GetFrame()->Loader().ApplyUserAgent(request); |
GetLocalFrameClient()->DispatchWillSendRequest(request); |
@@ -687,8 +689,6 @@ void FrameFetchContext::PopulateResourceRequest( |
const ResourceLoaderOptions& options, |
SecurityViolationReportingPolicy reporting_policy, |
ResourceRequest& request) { |
- SetFirstPartyCookieAndRequestorOrigin(request); |
- |
// Before modifying the request for CSP, evaluate report-only headers. This |
// allows site owners to learn about requests that are being modified |
// (e.g. mixed content that is being upgraded by upgrade-insecure-requests). |
@@ -703,27 +703,37 @@ void FrameFetchContext::PopulateResourceRequest( |
void FrameFetchContext::SetFirstPartyCookieAndRequestorOrigin( |
kinuko
2017/06/07 02:00:49
Now this does mostly same as what RenderFrameImpl:
|
ResourceRequest& request) { |
- if (!GetDocument()) |
- return; |
- |
+ // Set the first party for cookies url if it has not been set yet (new |
+ // requests). This value will be updated during redirects, consistent with |
+ // https://tools.ietf.org/html/draft-west-first-party-cookies-04#section-2.1.1 |
Mike West
2017/06/07 06:48:44
Would you mind updating this to https://tools.ietf
kinuko
2017/06/07 06:57:49
Done.
|
if (request.FirstPartyForCookies().IsNull()) { |
- request.SetFirstPartyForCookies( |
- GetDocument() ? GetDocument()->FirstPartyForCookies() |
- : SecurityOrigin::UrlWithUniqueSecurityOrigin()); |
+ if (request.GetFrameType() == WebURLRequest::kFrameTypeTopLevel) { |
+ request.SetFirstPartyForCookies(request.Url()); |
+ } else { |
+ // Use GetDocument() for subresource or nested frame cases, |
+ // GetFrame()->GetDocument() otherwise. |
+ Document* document = |
+ GetDocument() ? GetDocument() : GetFrame()->GetDocument(); |
+ request.SetFirstPartyForCookies(document->FirstPartyForCookies()); |
+ } |
} |
- // Subresource requests inherit their requestor origin from |m_document| |
- // directly. Top-level and nested frame types are taken care of in |
- // 'FrameLoadRequest()'. Auxiliary frame types in 'createWindow()' and |
- // 'FrameLoader::load'. |
- // TODO(mkwst): It would be cleaner to adjust blink::ResourceRequest to |
- // initialize itself with a `nullptr` initiator so that this can be a simple |
- // `isNull()` check. https://crbug.com/625969 |
- if (request.GetFrameType() == WebURLRequest::kFrameTypeNone && |
- request.RequestorOrigin()->IsUnique()) { |
- request.SetRequestorOrigin(GetDocument()->IsSandboxed(kSandboxOrigin) |
- ? SecurityOrigin::Create(document_->Url()) |
- : document_->GetSecurityOrigin()); |
+ // Subresource requests inherit their requestor origin from |document_| |
+ // directly. Top-level frame types are taken care of in 'FrameLoadRequest()'. |
+ // Auxiliary frame types in 'CreateWindow()' and 'FrameLoader::Load'. |
+ if (!request.RequestorOrigin()) { |
+ if (request.GetFrameType() == WebURLRequest::kFrameTypeNone) { |
+ Document* document = GetDocument(); |
+ request.SetRequestorOrigin(document->IsSandboxed(kSandboxOrigin) |
+ ? SecurityOrigin::Create(document->Url()) |
+ : document->GetSecurityOrigin()); |
+ } else { |
+ // Set the requestor origin to the same origin as the frame's document |
+ // if it hasn't yet been set. (We may hit here for nested frames and |
+ // redirect cases) |
+ request.SetRequestorOrigin( |
+ GetFrame()->GetDocument()->GetSecurityOrigin()); |
kinuko
2017/06/07 02:00:49
Wasn't bit sure if we should also check IsSandboxe
|
+ } |
} |
} |