diff options
Diffstat (limited to 'net/url_request/url_request_http_job.cc')
-rw-r--r-- | net/url_request/url_request_http_job.cc | 45 |
1 files changed, 35 insertions, 10 deletions
diff --git a/net/url_request/url_request_http_job.cc b/net/url_request/url_request_http_job.cc index ccc38d5..6946575 100644 --- a/net/url_request/url_request_http_job.cc +++ b/net/url_request/url_request_http_job.cc @@ -26,6 +26,7 @@ #include "net/base/net_errors.h" #include "net/base/network_delegate.h" #include "net/base/network_quality_estimator.h" +#include "net/base/registry_controlled_domains/registry_controlled_domain.h" #include "net/base/sdch_manager.h" #include "net/base/sdch_net_log_params.h" #include "net/base/url_util.h" @@ -725,19 +726,43 @@ void URLRequestHttpJob::AddCookieHeaderAndStart() { CookieOptions options; options.set_include_httponly(); - // TODO(mkwst): If same-site cookies aren't enabled, pretend the request is - // same-site regardless, in order to include all cookies. Drop this check - // once we decide whether or not we're shipping this feature: - // https://crbug.com/459154 + // Set SameSiteCookieMode according to the rules laid out in + // https://tools.ietf.org/html/draft-west-first-party-cookies: + // + // * Include both "strict" and "lax" same-site cookies if the request's + // |url|, |initiator|, and |first_party_for_cookies| all have the same + // registrable domain. + // + // * Include only "lax" same-site cookies if the request's |URL| and + // |first_party_for_cookies| have the same registrable domain, _and_ the + // request's |method| is "safe" ("GET" or "HEAD"). + // + // Note that this will generally be the case only for cross-site requests + // which target a top-level browsing context. + // + // * Otherwise, do not include same-site cookies. url::Origin requested_origin(request_->url()); + url::Origin site_for_cookies(request_->first_party_for_cookies()); + if (!network_delegate() || !network_delegate()->AreExperimentalCookieFeaturesEnabled()) { - options.set_include_same_site(); - } else if (requested_origin.IsSameOriginWith( - url::Origin(request_->first_party_for_cookies())) && - (IsMethodSafe(request_->method()) || - requested_origin.IsSameOriginWith(request_->initiator()))) { - options.set_include_same_site(); + // TODO(mkwst): If same-site cookies aren't enabled, then tag the request + // as including both strict and lax same-site cookies. Drop this check + // once the feature is no longer behind a flag: https://crbug.com/459154. + options.set_same_site_cookie_mode( + CookieOptions::SameSiteCookieMode::INCLUDE_STRICT_AND_LAX); + } else if (registry_controlled_domains::SameDomainOrHost( + requested_origin, site_for_cookies, + registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES)) { + if (registry_controlled_domains::SameDomainOrHost( + requested_origin, request_->initiator(), + registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES)) { + options.set_same_site_cookie_mode( + CookieOptions::SameSiteCookieMode::INCLUDE_STRICT_AND_LAX); + } else if (IsMethodSafe(request_->method())) { + options.set_same_site_cookie_mode( + CookieOptions::SameSiteCookieMode::INCLUDE_LAX); + } } cookie_store->GetCookieListWithOptionsAsync( |