Always set allowCredentials for embedded MimeHandlerView requests.

This ensures that credentials/cookies are always sent with the request. This
should be safe as we control the request tightly - it is a GET request
triggered by a site containing an <embed src="<url>"> tag. The only user
supplied value in the request (besides the credentials) is the <url>.

This behavior should be similar to iframes.

BUG=465932

Review URL: https://codereview.chromium.org/997783002

Cr-Commit-Position: refs/heads/master@{#320414}

1 files changed, 3 insertions, 1 deletions

diff --git a/extensions/renderer/guest_view/mime_handler_view/mime_handler_view_container.cc b/extensions/renderer/guest_view/mime_handler_view/mime_handler_view_container.cc
index e8657e6..6371561 100644
--- a/extensions/renderer/guest_view/mime_handler_view/mime_handler_view_container.cc
+++ b/extensions/renderer/guest_view/mime_handler_view/mime_handler_view_container.cc
@@ -127,9 +127,11 @@ void MimeHandlerViewContainer::Ready() {
 
   blink::WebFrame* frame = render_frame()->GetWebFrame();
   blink::WebURLLoaderOptions options;
-  // The embedded plugin is allowed to be cross-origin.
+  // The embedded plugin is allowed to be cross-origin and we should always
+  // send credentials/cookies with the request.
   options.crossOriginRequestPolicy =
       blink::WebURLLoaderOptions::CrossOriginRequestPolicyAllow;
+  options.allowCredentials = true;
   DCHECK(!loader_);
   loader_.reset(frame->createAssociatedURLLoader(options));