Unify ChromeNetworkDelegate and NetworkServiceNetworkDelegate cookie logic

This was suggested in crbug.com/789636 so this logic can run in
production before the launch of the network service.

Had to keep the tab notification logic in each delegate, since the
way NetworkServiceNetworkDelegate maps the request back to the
original tab (using the URLLoader set as user data on the request)
does not work if network service is disabled.

Bug: 789636, 789632
Cq-Include-Trybots: luci.chromium.try:ios-simulator-full-configs;luci.chromium.try:linux_mojo;master.tryserver.chromium.android:android_cronet_tester;master.tryserver.chromium.mac:ios-simulator-cronet
Change-Id: I22395f914639d8ce83457a63062927e876caeaa9
Reviewed-on: https://chromium-review.googlesource.com/1113903Reviewed-by: Matt Menke <mmenke@chromium.org>
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Commit-Queue: Clark DuVall <cduvall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#570877}

android_webview/browser/net/aw_network_delegate.cc

@@ -89,15 +89,19 @@ int AwNetworkDelegate::OnHeadersReceived(
 }
 
 bool AwNetworkDelegate::OnCanGetCookies(const net::URLRequest& request,
-                                        const net::CookieList& cookie_list) {
-  return AwCookieAccessPolicy::GetInstance()->OnCanGetCookies(request,
+                                        const net::CookieList& cookie_list,
+                                        bool allow_from_caller) {
+  return allow_from_caller &&
+         AwCookieAccessPolicy::GetInstance()->OnCanGetCookies(request,
                                                               cookie_list);
 }
 
 bool AwNetworkDelegate::OnCanSetCookie(const net::URLRequest& request,
                                        const net::CanonicalCookie& cookie,
-                                       net::CookieOptions* options) {
-  return AwCookieAccessPolicy::GetInstance()->OnCanSetCookie(request, cookie,
+                                       net::CookieOptions* options,
+                                       bool allow_from_caller) {
+  return allow_from_caller &&
+         AwCookieAccessPolicy::GetInstance()->OnCanSetCookie(request, cookie,
                                                              options);
 }
 

android_webview/browser/net/aw_network_delegate.h

@@ -34,10 +34,12 @@ class AwNetworkDelegate : public net::NetworkDelegateImpl {
       scoped_refptr<net::HttpResponseHeaders>* override_response_headers,
       GURL* allowed_unsafe_redirect_url) override;
   bool OnCanGetCookies(const net::URLRequest& request,
-                       const net::CookieList& cookie_list) override;
+                       const net::CookieList& cookie_list,
+                       bool allow_from_caller) override;
   bool OnCanSetCookie(const net::URLRequest& request,
                       const net::CanonicalCookie& cookie,
-                      net::CookieOptions* options) override;
+                      net::CookieOptions* options,
+                      bool allow_from_caller) override;
   bool OnCanAccessFile(const net::URLRequest& request,
                        const base::FilePath& original_path,
                        const base::FilePath& absolute_path) const override;

chrome/browser/android/download/intercept_download_resource_throttle.cc

@@ -73,8 +73,9 @@ const char* InterceptDownloadResourceThrottle::GetNameForLogging() const {
 void InterceptDownloadResourceThrottle::CheckCookiePolicy(
     const net::CookieList& cookie_list) {
   DownloadInfo info(request_);
-  if (request_->context()->network_delegate()->CanGetCookies(*request_,
-                                                             cookie_list)) {
+  if (request_->context()->network_delegate()->CanGetCookies(
+          *request_, cookie_list,
+          /*allowed_from_caller=*/true)) {
     std::string cookie = net::CanonicalCookie::BuildCookieLine(cookie_list);
     if (!cookie.empty())
       info.cookie = cookie;

chrome/browser/net/chrome_network_delegate.cc

@@ -357,48 +357,35 @@ ChromeNetworkDelegate::OnAuthRequired(net::URLRequest* request,
       request, auth_info, std::move(callback), credentials);
 }
 
-bool ChromeNetworkDelegate::OnCanGetCookies(
-    const net::URLRequest& request,
-    const net::CookieList& cookie_list) {
-  // nullptr during tests, or when we're running in the system context.
-  if (!cookie_settings_.get())
-    return true;
-
-  bool allow = cookie_settings_->IsCookieAccessAllowed(
-      request.url(), request.site_for_cookies());
-
+bool ChromeNetworkDelegate::OnCanGetCookies(const net::URLRequest& request,
+                                            const net::CookieList& cookie_list,
+                                            bool allowed_from_caller) {
   const ResourceRequestInfo* info = ResourceRequestInfo::ForRequest(&request);
   if (info) {
     BrowserThread::PostTask(
         BrowserThread::UI, FROM_HERE,
         base::BindOnce(&TabSpecificContentSettings::CookiesRead,
                        info->GetWebContentsGetterForRequest(), request.url(),
-                       request.site_for_cookies(), cookie_list, !allow));
+                       request.site_for_cookies(), cookie_list,
+                       !allowed_from_caller));
   }
-
-  return allow;
+  return allowed_from_caller;
 }
 
 bool ChromeNetworkDelegate::OnCanSetCookie(const net::URLRequest& request,
                                            const net::CanonicalCookie& cookie,
-                                           net::CookieOptions* options) {
-  // nullptr during tests, or when we're running in the system context.
-  if (!cookie_settings_.get())
-    return true;
-
-  bool allow = cookie_settings_->IsCookieAccessAllowed(
-      request.url(), request.site_for_cookies());
-
+                                           net::CookieOptions* options,
+                                           bool allowed_from_caller) {
   const ResourceRequestInfo* info = ResourceRequestInfo::ForRequest(&request);
   if (info) {
     BrowserThread::PostTask(
         BrowserThread::UI, FROM_HERE,
         base::BindOnce(&TabSpecificContentSettings::CookieChanged,
                        info->GetWebContentsGetterForRequest(), request.url(),
-                       request.site_for_cookies(), cookie, !allow));
+                       request.site_for_cookies(), cookie,
+                       !allowed_from_caller));
   }
-
-  return allow;
+  return allowed_from_caller;
 }
 
 bool ChromeNetworkDelegate::OnCanAccessFile(
@@ -437,16 +424,6 @@ void ChromeNetworkDelegate::EnableAccessToAllFilesForTesting(bool enabled) {
   g_access_to_all_files_enabled = enabled;
 }
 
-bool ChromeNetworkDelegate::OnCanEnablePrivacyMode(
-    const GURL& url,
-    const GURL& site_for_cookies) const {
-  // nullptr during tests, or when we're running in the system context.
-  if (!cookie_settings_.get())
-    return false;
-
-  return !cookie_settings_->IsCookieAccessAllowed(url, site_for_cookies);
-}
-
 bool ChromeNetworkDelegate::OnAreExperimentalCookieFeaturesEnabled() const {
   return experimental_web_platform_features_enabled_;
 }

chrome/browser/net/chrome_network_delegate.h

@@ -180,15 +180,15 @@ class ChromeNetworkDelegate : public net::NetworkDelegateImpl {
       AuthCallback callback,
       net::AuthCredentials* credentials) override;
   bool OnCanGetCookies(const net::URLRequest& request,
-                       const net::CookieList& cookie_list) override;
+                       const net::CookieList& cookie_list,
+                       bool allowed_from_caller) override;
   bool OnCanSetCookie(const net::URLRequest& request,
                       const net::CanonicalCookie& cookie,
-                      net::CookieOptions* options) override;
+                      net::CookieOptions* options,
+                      bool allowed_from_caller) override;
   bool OnCanAccessFile(const net::URLRequest& request,
                        const base::FilePath& original_path,
                        const base::FilePath& absolute_path) const override;
-  bool OnCanEnablePrivacyMode(const GURL& url,
-                              const GURL& site_for_cookies) const override;
   bool OnAreExperimentalCookieFeaturesEnabled() const override;
   bool OnCancelURLRequestWithPolicyViolatingReferrerHeader(
       const net::URLRequest& request,

chrome/browser/net/chrome_network_delegate_unittest.cc

@@ -482,57 +482,6 @@ class ChromeNetworkDelegatePrivacyModeTest : public testing::Test {
   const GURL kBlockedFirstPartySite;
 };
 
-TEST_F(ChromeNetworkDelegatePrivacyModeTest, DisablePrivacyIfCookiesAllowed) {
-  std::unique_ptr<ChromeNetworkDelegate> delegate(CreateNetworkDelegate());
-  SetDelegate(delegate.get());
-
-  EXPECT_FALSE(network_delegate_->CanEnablePrivacyMode(kAllowedSite,
-                                                       kEmptyFirstPartySite));
-}
-
-
-TEST_F(ChromeNetworkDelegatePrivacyModeTest, EnablePrivacyIfCookiesBlocked) {
-  std::unique_ptr<ChromeNetworkDelegate> delegate(CreateNetworkDelegate());
-  SetDelegate(delegate.get());
-
-  EXPECT_FALSE(network_delegate_->CanEnablePrivacyMode(kBlockedSite,
-                                                       kEmptyFirstPartySite));
-
-  cookie_settings_->SetCookieSetting(kBlockedSite, CONTENT_SETTING_BLOCK);
-  EXPECT_TRUE(network_delegate_->CanEnablePrivacyMode(kBlockedSite,
-                                                      kEmptyFirstPartySite));
-}
-
-TEST_F(ChromeNetworkDelegatePrivacyModeTest, EnablePrivacyIfThirdPartyBlocked) {
-  std::unique_ptr<ChromeNetworkDelegate> delegate(CreateNetworkDelegate());
-  SetDelegate(delegate.get());
-
-  EXPECT_FALSE(network_delegate_->CanEnablePrivacyMode(kAllowedSite,
-                                                       kFirstPartySite));
-
-  profile_.GetPrefs()->SetBoolean(prefs::kBlockThirdPartyCookies, true);
-  EXPECT_TRUE(network_delegate_->CanEnablePrivacyMode(kAllowedSite,
-                                                      kFirstPartySite));
-  profile_.GetPrefs()->SetBoolean(prefs::kBlockThirdPartyCookies, false);
-  EXPECT_FALSE(network_delegate_->CanEnablePrivacyMode(kAllowedSite,
-                                                       kFirstPartySite));
-}
-
-TEST_F(ChromeNetworkDelegatePrivacyModeTest,
-       DisablePrivacyIfOnlyFirstPartyBlocked) {
-  std::unique_ptr<ChromeNetworkDelegate> delegate(CreateNetworkDelegate());
-  SetDelegate(delegate.get());
-
-  EXPECT_FALSE(network_delegate_->CanEnablePrivacyMode(kAllowedSite,
-                                                       kBlockedFirstPartySite));
-
-  cookie_settings_->SetCookieSetting(kBlockedFirstPartySite,
-                                     CONTENT_SETTING_BLOCK);
-  // Privacy mode is disabled as kAllowedSite is still getting cookies
-  EXPECT_FALSE(network_delegate_->CanEnablePrivacyMode(kAllowedSite,
-                                                       kBlockedFirstPartySite));
-}
-
 TEST(ChromeNetworkDelegateStaticTest, IsAccessAllowed) {
 #if !defined(OS_CHROMEOS) && !defined(OS_ANDROID)
   // Platforms other than Chrome OS and Android have access to any files.

components/cronet/cronet_url_request_context.cc

@@ -103,14 +103,16 @@ class BasicNetworkDelegate : public net::NetworkDelegateImpl {
  private:
   // net::NetworkDelegate implementation.
   bool OnCanGetCookies(const net::URLRequest& request,
-                       const net::CookieList& cookie_list) override {
+                       const net::CookieList& cookie_list,
+                       bool allowed_from_caller) override {
     // Disallow sending cookies by default.
     return false;
   }
 
   bool OnCanSetCookie(const net::URLRequest& request,
                       const net::CanonicalCookie& cookie,
-                      net::CookieOptions* options) override {
+                      net::CookieOptions* options,
+                      bool allowed_from_caller) override {
     // Disallow saving cookies by default.
     return false;
   }

content/shell/browser/shell_network_delegate.cc

@@ -34,24 +34,26 @@ void ShellNetworkDelegate::SetCancelURLRequestWithPolicyViolatingReferrerHeader(
 }
 
 bool ShellNetworkDelegate::OnCanGetCookies(const net::URLRequest& request,
-                                           const net::CookieList& cookie_list) {
+                                           const net::CookieList& cookie_list,
+                                           bool allowed_from_caller) {
   net::StaticCookiePolicy::Type policy_type = g_block_third_party_cookies ?
       net::StaticCookiePolicy::BLOCK_ALL_THIRD_PARTY_COOKIES :
       net::StaticCookiePolicy::ALLOW_ALL_COOKIES;
   net::StaticCookiePolicy policy(policy_type);
   int rv = policy.CanAccessCookies(request.url(), request.site_for_cookies());
-  return rv == net::OK;
+  return allowed_from_caller && rv == net::OK;
 }
 
 bool ShellNetworkDelegate::OnCanSetCookie(const net::URLRequest& request,
                                           const net::CanonicalCookie& cookie,
-                                          net::CookieOptions* options) {
+                                          net::CookieOptions* options,
+                                          bool allowed_from_caller) {
   net::StaticCookiePolicy::Type policy_type = g_block_third_party_cookies ?
       net::StaticCookiePolicy::BLOCK_ALL_THIRD_PARTY_COOKIES :
       net::StaticCookiePolicy::ALLOW_ALL_COOKIES;
   net::StaticCookiePolicy policy(policy_type);
   int rv = policy.CanAccessCookies(request.url(), request.site_for_cookies());
-  return rv == net::OK;
+  return allowed_from_caller && rv == net::OK;
 }
 
 bool ShellNetworkDelegate::OnCanAccessFile(

content/shell/browser/shell_network_delegate.h

@@ -22,10 +22,12 @@ class ShellNetworkDelegate : public net::NetworkDelegateImpl {
  private:
   // net::NetworkDelegate implementation.
   bool OnCanGetCookies(const net::URLRequest& request,
-                       const net::CookieList& cookie_list) override;
+                       const net::CookieList& cookie_list,
+                       bool allowed_from_caller) override;
   bool OnCanSetCookie(const net::URLRequest& request,
                       const net::CanonicalCookie& cookie,
-                      net::CookieOptions* options) override;
+                      net::CookieOptions* options,
+                      bool allowed_from_caller) override;
   bool OnCanAccessFile(const net::URLRequest& request,
                        const base::FilePath& original_path,
                        const base::FilePath& absolute_path) const override;

ios/chrome/browser/net/ios_chrome_network_delegate.cc

@@ -90,25 +90,27 @@ void IOSChromeNetworkDelegate::OnCompleted(net::URLRequest* request,
 
 bool IOSChromeNetworkDelegate::OnCanGetCookies(
     const net::URLRequest& request,
-    const net::CookieList& cookie_list) {
+    const net::CookieList& cookie_list,
+    bool allowed_from_caller) {
   // Null during tests, or when we're running in the system context.
   if (!cookie_settings_)
-    return true;
+    return allowed_from_caller;
 
-  return cookie_settings_->IsCookieAccessAllowed(request.url(),
-                                                 request.site_for_cookies());
+  return allowed_from_caller && cookie_settings_->IsCookieAccessAllowed(
+                                    request.url(), request.site_for_cookies());
 }
 
 bool IOSChromeNetworkDelegate::OnCanSetCookie(
     const net::URLRequest& request,
     const net::CanonicalCookie& cookie,
-    net::CookieOptions* options) {
+    net::CookieOptions* options,
+    bool allowed_from_caller) {
   // Null during tests, or when we're running in the system context.
   if (!cookie_settings_)
-    return true;
+    return allowed_from_caller;
 
-  return cookie_settings_->IsCookieAccessAllowed(request.url(),
-                                                 request.site_for_cookies());
+  return allowed_from_caller && cookie_settings_->IsCookieAccessAllowed(
+                                    request.url(), request.site_for_cookies());
 }
 
 bool IOSChromeNetworkDelegate::OnCanAccessFile(

ios/chrome/browser/net/ios_chrome_network_delegate.h

@@ -54,10 +54,12 @@ class IOSChromeNetworkDelegate : public net::NetworkDelegateImpl {
                    bool started,
                    int net_error) override;
   bool OnCanGetCookies(const net::URLRequest& request,
-                       const net::CookieList& cookie_list) override;
+                       const net::CookieList& cookie_list,
+                       bool allowed_from_caller) override;
   bool OnCanSetCookie(const net::URLRequest& request,
                       const net::CanonicalCookie& cookie,
-                      net::CookieOptions* options) override;
+                      net::CookieOptions* options,
+                      bool allowed_from_caller) override;
   bool OnCanAccessFile(const net::URLRequest& request,
                        const base::FilePath& original_path,
                        const base::FilePath& absolute_path) const override;

net/base/layered_network_delegate.cc

@@ -172,27 +172,36 @@ void LayeredNetworkDelegate::OnAuthRequiredInternal(
     AuthCredentials* credentials) {}
 
 bool LayeredNetworkDelegate::OnCanGetCookies(const URLRequest& request,
-                                             const CookieList& cookie_list) {
-  OnCanGetCookiesInternal(request, cookie_list);
-  return nested_network_delegate_->CanGetCookies(request, cookie_list);
+                                             const CookieList& cookie_list,
+                                             bool allowed_from_caller) {
+  return nested_network_delegate_->CanGetCookies(
+      request, cookie_list,
+      OnCanGetCookiesInternal(request, cookie_list, allowed_from_caller));
 }
 
-void LayeredNetworkDelegate::OnCanGetCookiesInternal(
+bool LayeredNetworkDelegate::OnCanGetCookiesInternal(
     const URLRequest& request,
-    const CookieList& cookie_list) {
+    const CookieList& cookie_list,
+    bool allowed_from_caller) {
+  return allowed_from_caller;
 }
 
 bool LayeredNetworkDelegate::OnCanSetCookie(const URLRequest& request,
                                             const net::CanonicalCookie& cookie,
-                                            CookieOptions* options) {
-  OnCanSetCookieInternal(request, cookie, options);
-  return nested_network_delegate_->CanSetCookie(request, cookie, options);
+                                            CookieOptions* options,
+                                            bool allowed_from_caller) {
+  return nested_network_delegate_->CanSetCookie(
+      request, cookie, options,
+      OnCanSetCookieInternal(request, cookie, options, allowed_from_caller));
 }
 
-void LayeredNetworkDelegate::OnCanSetCookieInternal(
+bool LayeredNetworkDelegate::OnCanSetCookieInternal(
     const URLRequest& request,
     const net::CanonicalCookie& cookie,
-    CookieOptions* options) {}
+    CookieOptions* options,
+    bool allowed_from_caller) {
+  return allowed_from_caller;
+}
 
 bool LayeredNetworkDelegate::OnCanAccessFile(
     const URLRequest& request,
@@ -211,13 +220,15 @@ void LayeredNetworkDelegate::OnCanAccessFileInternal(
 bool LayeredNetworkDelegate::OnCanEnablePrivacyMode(
     const GURL& url,
     const GURL& site_for_cookies) const {
-  OnCanEnablePrivacyModeInternal(url, site_for_cookies);
-  return nested_network_delegate_->CanEnablePrivacyMode(url, site_for_cookies);
+  return OnCanEnablePrivacyModeInternal(url, site_for_cookies) ||
+         nested_network_delegate_->CanEnablePrivacyMode(url, site_for_cookies);
 }
 
-void LayeredNetworkDelegate::OnCanEnablePrivacyModeInternal(
+bool LayeredNetworkDelegate::OnCanEnablePrivacyModeInternal(
     const GURL& url,
-    const GURL& site_for_cookies) const {}
+    const GURL& site_for_cookies) const {
+  return false;
+}
 
 bool LayeredNetworkDelegate::OnAreExperimentalCookieFeaturesEnabled() const {
   OnAreExperimentalCookieFeaturesEnabledInternal();

net/base/layered_network_delegate.h

@@ -74,10 +74,12 @@ class NET_EXPORT LayeredNetworkDelegate : public NetworkDelegate {
                                       AuthCallback callback,
                                       AuthCredentials* credentials) final;
   bool OnCanGetCookies(const URLRequest& request,
-                       const CookieList& cookie_list) final;
+                       const CookieList& cookie_list,
+                       bool allowed_from_caller) final;
   bool OnCanSetCookie(const URLRequest& request,
                       const net::CanonicalCookie& cookie,
-                      CookieOptions* options) final;
+                      CookieOptions* options,
+                      bool allowed_from_caller) final;
   bool OnCanAccessFile(const URLRequest& request,
                        const base::FilePath& original_path,
                        const base::FilePath& absolute_path) const final;
@@ -143,12 +145,14 @@ class NET_EXPORT LayeredNetworkDelegate : public NetworkDelegate {
   virtual void OnPACScriptErrorInternal(int line_number,
                                         const base::string16& error);
 
-  virtual void OnCanGetCookiesInternal(const URLRequest& request,
-                                       const CookieList& cookie_list);
+  virtual bool OnCanGetCookiesInternal(const URLRequest& request,
+                                       const CookieList& cookie_list,
+                                       bool allowed_from_caller);
 
-  virtual void OnCanSetCookieInternal(const URLRequest& request,
+  virtual bool OnCanSetCookieInternal(const URLRequest& request,
                                       const net::CanonicalCookie& cookie,
-                                      CookieOptions* options);
+                                      CookieOptions* options,
+                                      bool allowed_from_caller);
 
   virtual void OnAuthRequiredInternal(URLRequest* request,
                                       const AuthChallengeInfo& auth_info,
@@ -159,7 +163,9 @@ class NET_EXPORT LayeredNetworkDelegate : public NetworkDelegate {
       const base::FilePath& original_path,
       const base::FilePath& absolute_path) const;
 
-  virtual void OnCanEnablePrivacyModeInternal(
+  // If this returns false, it short circuits the corresponding call in any
+  // nested NetworkDelegates.
+  virtual bool OnCanEnablePrivacyModeInternal(
       const GURL& url,
       const GURL& site_for_cookies) const;
 

net/base/layered_network_delegate_unittest.cc

@@ -116,14 +116,16 @@ class TestNetworkDelegateImpl : public NetworkDelegateImpl {
   }
 
   bool OnCanGetCookies(const URLRequest& request,
-                       const CookieList& cookie_list) override {
+                       const CookieList& cookie_list,
+                       bool allowed_from_caller) override {
     IncrementAndCompareCounter("on_can_get_cookies_count");
     return false;
   }
 
   bool OnCanSetCookie(const URLRequest& request,
                       const net::CanonicalCookie& cookie,
-                      CookieOptions* options) override {
+                      CookieOptions* options,
+                      bool allowed_from_caller) override {
     IncrementAndCompareCounter("on_can_set_cookie_count");
     return false;
   }
@@ -204,8 +206,8 @@ class TestLayeredNetworkDelegate : public LayeredNetworkDelegate {
     EXPECT_EQ(
         NetworkDelegate::AUTH_REQUIRED_RESPONSE_NO_ACTION,
         OnAuthRequired(request.get(), *auth_challenge, AuthCallback(), NULL));
-    EXPECT_FALSE(OnCanGetCookies(*request, CookieList()));
-    EXPECT_FALSE(OnCanSetCookie(*request, net::CanonicalCookie(), NULL));
+    EXPECT_FALSE(OnCanGetCookies(*request, CookieList(), true));
+    EXPECT_FALSE(OnCanSetCookie(*request, net::CanonicalCookie(), NULL, true));
     EXPECT_FALSE(OnCanAccessFile(*request, base::FilePath(), base::FilePath()));
     EXPECT_FALSE(OnCanEnablePrivacyMode(GURL(), GURL()));
     EXPECT_FALSE(OnCancelURLRequestWithPolicyViolatingReferrerHeader(
@@ -296,17 +298,21 @@ class TestLayeredNetworkDelegate : public LayeredNetworkDelegate {
     EXPECT_EQ(1, (*counters_)["on_auth_required_count"]);
   }
 
-  void OnCanGetCookiesInternal(const URLRequest& request,
-                               const CookieList& cookie_list) override {
+  bool OnCanGetCookiesInternal(const URLRequest& request,
+                               const CookieList& cookie_list,
+                               bool allowed_from_caller) override {
     ++(*counters_)["on_can_get_cookies_count"];
     EXPECT_EQ(1, (*counters_)["on_can_get_cookies_count"]);
+    return allowed_from_caller;
   }
 
-  void OnCanSetCookieInternal(const URLRequest& request,
+  bool OnCanSetCookieInternal(const URLRequest& request,
                               const net::CanonicalCookie& cookie,
-                              CookieOptions* options) override {
+                              CookieOptions* options,
+                              bool allowed_from_caller) override {
     ++(*counters_)["on_can_set_cookie_count"];
     EXPECT_EQ(1, (*counters_)["on_can_set_cookie_count"]);
+    return allowed_from_caller;
   }
 
   void OnCanAccessFileInternal(
@@ -317,11 +323,12 @@ class TestLayeredNetworkDelegate : public LayeredNetworkDelegate {
     EXPECT_EQ(1, (*counters_)["on_can_access_file_count"]);
   }
 
-  void OnCanEnablePrivacyModeInternal(
+  bool OnCanEnablePrivacyModeInternal(
       const GURL& url,
       const GURL& site_for_cookies) const override {
     ++(*counters_)["on_can_enable_privacy_mode_count"];
     EXPECT_EQ(1, (*counters_)["on_can_enable_privacy_mode_count"]);
+    return false;
   }
 
   bool OnCancelURLRequestWithPolicyViolatingReferrerHeaderInternal(

net/base/network_delegate.cc

@@ -142,18 +142,20 @@ NetworkDelegate::AuthRequiredResponse NetworkDelegate::NotifyAuthRequired(
 }
 
 bool NetworkDelegate::CanGetCookies(const URLRequest& request,
-                                    const CookieList& cookie_list) {
+                                    const CookieList& cookie_list,
+                                    bool allowed_from_caller) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   DCHECK(!(request.load_flags() & LOAD_DO_NOT_SEND_COOKIES));
-  return OnCanGetCookies(request, cookie_list);
+  return OnCanGetCookies(request, cookie_list, allowed_from_caller);
 }
 
 bool NetworkDelegate::CanSetCookie(const URLRequest& request,
-                                   const net::CanonicalCookie& cookie,
-                                   CookieOptions* options) {
+                                   const CanonicalCookie& cookie,
+                                   CookieOptions* options,
+                                   bool allowed_from_caller) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   DCHECK(!(request.load_flags() & LOAD_DO_NOT_SAVE_COOKIES));
-  return OnCanSetCookie(request, cookie, options);
+  return OnCanSetCookie(request, cookie, options, allowed_from_caller);
 }
 
 bool NetworkDelegate::CanAccessFile(const URLRequest& request,

net/base/network_delegate.h

@@ -97,10 +97,12 @@ class NET_EXPORT NetworkDelegate {
                                           AuthCallback callback,
                                           AuthCredentials* credentials);
   bool CanGetCookies(const URLRequest& request,
-                     const CookieList& cookie_list);
+                     const CookieList& cookie_list,
+                     bool allowed_from_caller);
   bool CanSetCookie(const URLRequest& request,
                     const net::CanonicalCookie& cookie,
-                    CookieOptions* options);
+                    CookieOptions* options,
+                    bool allowed_from_caller);
   bool CanAccessFile(const URLRequest& request,
                      const base::FilePath& original_path,
                      const base::FilePath& absolute_path) const;
@@ -287,15 +289,23 @@ class NET_EXPORT NetworkDelegate {
   // Called when reading cookies to allow the network delegate to block access
   // to the cookie. This method will never be invoked when
   // LOAD_DO_NOT_SEND_COOKIES is specified.
+  // The |allowed_from_caller| param is used to pass whether this operation is
+  // allowed from any higher level delegates (for example, in a
+  // LayeredNetworkDelegate). Any custom logic should be ANDed with this bool.
   virtual bool OnCanGetCookies(const URLRequest& request,
-                               const CookieList& cookie_list) = 0;
+                               const CookieList& cookie_list,
+                               bool allowed_from_caller) = 0;
 
   // Called when a cookie is set to allow the network delegate to block access
   // to the cookie. This method will never be invoked when
   // LOAD_DO_NOT_SAVE_COOKIES is specified.
+  // The |allowed_from_caller| param is used to pass whether this operation is
+  // allowed from any higher level delegates (for example, in a
+  // LayeredNetworkDelegate). Any custom logic should be ANDed with this bool.
   virtual bool OnCanSetCookie(const URLRequest& request,
-                              const net::CanonicalCookie& cookie,
-                              CookieOptions* options) = 0;
+                              const CanonicalCookie& cookie,
+                              CookieOptions* options,
+                              bool allowed_from_caller) = 0;
 
   // Called when a file access is attempted to allow the network delegate to
   // allow or block access to the given file path, provided in the original

net/base/network_delegate_impl.cc

@@ -72,14 +72,16 @@ NetworkDelegate::AuthRequiredResponse NetworkDelegateImpl::OnAuthRequired(
 }
 
 bool NetworkDelegateImpl::OnCanGetCookies(const URLRequest& request,
-                                          const CookieList& cookie_list) {
-  return true;
+                                          const CookieList& cookie_list,
+                                          bool allowed_from_caller) {
+  return allowed_from_caller;
 }
 
 bool NetworkDelegateImpl::OnCanSetCookie(const URLRequest& request,
                                          const net::CanonicalCookie& cookie,
-                                         CookieOptions* options) {
-  return true;
+                                         CookieOptions* options,
+                                         bool allowed_from_caller) {
+  return allowed_from_caller;
 }
 
 bool NetworkDelegateImpl::OnCanAccessFile(

net/base/network_delegate_impl.h

@@ -83,11 +83,13 @@ class NET_EXPORT NetworkDelegateImpl : public NetworkDelegate {
                                       AuthCredentials* credentials) override;
 
   bool OnCanGetCookies(const URLRequest& request,
-                       const CookieList& cookie_list) override;
+                       const CookieList& cookie_list,
+                       bool allowed_from_caller) override;
 
   bool OnCanSetCookie(const URLRequest& request,
                       const net::CanonicalCookie& cookie,
-                      CookieOptions* options) override;
+                      CookieOptions* options,
+                      bool allowed_from_caller) override;
 
   bool OnCanAccessFile(const URLRequest& request,
                        const base::FilePath& original_path,

net/proxy_resolution/network_delegate_error_observer_unittest.cc

@@ -66,13 +66,15 @@ class TestNetworkDelegate : public NetworkDelegateImpl {
     return AUTH_REQUIRED_RESPONSE_NO_ACTION;
   }
   bool OnCanGetCookies(const URLRequest& request,
-                       const CookieList& cookie_list) override {
-    return true;
+                       const CookieList& cookie_list,
+                       bool allowed_from_caller) override {
+    return allowed_from_caller;
   }
   bool OnCanSetCookie(const URLRequest& request,
                       const net::CanonicalCookie& cookie,
-                      CookieOptions* options) override {
-    return true;
+                      CookieOptions* options,
+                      bool allowed_from_caller) override {
+    return allowed_from_caller;
   }
   bool OnCanAccessFile(const URLRequest& request,
                        const base::FilePath& original_path,

net/proxy_resolution/pac_file_fetcher_impl_unittest.cc

@@ -198,14 +198,16 @@ class BasicNetworkDelegate : public NetworkDelegateImpl {
   }
 
   bool OnCanGetCookies(const URLRequest& request,
-                       const CookieList& cookie_list) override {
-    return true;
+                       const CookieList& cookie_list,
+                       bool allowed_from_caller) override {
+    return allowed_from_caller;
   }
 
   bool OnCanSetCookie(const URLRequest& request,
                       const net::CanonicalCookie& cookie,
-                      CookieOptions* options) override {
-    return true;
+                      CookieOptions* options,
+                      bool allowed_from_caller) override {
+    return allowed_from_caller;
   }
 
   bool OnCanAccessFile(const URLRequest& request,

net/url_request/url_request.cc

@@ -1064,7 +1064,8 @@ void URLRequest::NotifySSLCertificateError(const SSLInfo& ssl_info,
 bool URLRequest::CanGetCookies(const CookieList& cookie_list) const {
   DCHECK(!(load_flags_ & LOAD_DO_NOT_SEND_COOKIES));
   if (network_delegate_) {
-    return network_delegate_->CanGetCookies(*this, cookie_list);
+    return network_delegate_->CanGetCookies(*this, cookie_list,
+                                            /*allowed_from_caller=*/true);
   }
   return g_default_can_use_cookies;
 }
@@ -1073,7 +1074,8 @@ bool URLRequest::CanSetCookie(const net::CanonicalCookie& cookie,
                               CookieOptions* options) const {
   DCHECK(!(load_flags_ & LOAD_DO_NOT_SAVE_COOKIES));
   if (network_delegate_) {
-    return network_delegate_->CanSetCookie(*this, cookie, options);
+    return network_delegate_->CanSetCookie(*this, cookie, options,
+                                           /*allowed_from_caller=*/true);
   }
   return g_default_can_use_cookies;
 }

net/url_request/url_request_context_builder.cc

@@ -119,14 +119,16 @@ class BasicNetworkDelegate : public NetworkDelegateImpl {
   }
 
   bool OnCanGetCookies(const URLRequest& request,
-                       const CookieList& cookie_list) override {
-    return true;
+                       const CookieList& cookie_list,
+                       bool allowed_from_caller) override {
+    return allowed_from_caller;
   }
 
   bool OnCanSetCookie(const URLRequest& request,
                       const CanonicalCookie& cookie,
-                      CookieOptions* options) override {
-    return true;
+                      CookieOptions* options,
+                      bool allowed_from_caller) override {
+    return allowed_from_caller;
   }
 
   bool OnCanAccessFile(const URLRequest& request,

net/url_request/url_request_test_util.cc

@@ -648,8 +648,9 @@ NetworkDelegate::AuthRequiredResponse TestNetworkDelegate::OnAuthRequired(
 }
 
 bool TestNetworkDelegate::OnCanGetCookies(const URLRequest& request,
-                                          const CookieList& cookie_list) {
-  bool allow = true;
+                                          const CookieList& cookie_list,
+                                          bool allowed_from_caller) {
+  bool allow = allowed_from_caller;
   if (cookie_options_bit_mask_ & NO_GET_COOKIES)
     allow = false;
 
@@ -662,8 +663,9 @@ bool TestNetworkDelegate::OnCanGetCookies(const URLRequest& request,
 
 bool TestNetworkDelegate::OnCanSetCookie(const URLRequest& request,
                                          const net::CanonicalCookie& cookie,
-                                         CookieOptions* options) {
-  bool allow = true;
+                                         CookieOptions* options,
+                                         bool allowed_from_caller) {
+  bool allow = allowed_from_caller;
   if (cookie_options_bit_mask_ & NO_SET_COOKIE)
     allow = false;
 

net/url_request/url_request_test_util.h

@@ -383,10 +383,12 @@ class TestNetworkDelegate : public NetworkDelegateImpl {
       AuthCallback callback,
       AuthCredentials* credentials) override;
   bool OnCanGetCookies(const URLRequest& request,
-                       const CookieList& cookie_list) override;
+                       const CookieList& cookie_list,
+                       bool allowed_from_caller) override;
   bool OnCanSetCookie(const URLRequest& request,
                       const net::CanonicalCookie& cookie,
-                      CookieOptions* options) override;
+                      CookieOptions* options,
+                      bool allowed_from_caller) override;
   bool OnCanAccessFile(const URLRequest& request,
                        const base::FilePath& original_path,
                        const base::FilePath& absolute_path) const override;

services/network/BUILD.gn

@@ -203,7 +203,6 @@ source_set("tests") {
     "keepalive_statistics_recorder_unittest.cc",
     "network_change_manager_unittest.cc",
     "network_context_unittest.cc",
-    "network_service_network_delegate_unittest.cc",
     "network_service_unittest.cc",
     "network_usage_accumulator_unittest.cc",
     "proxy_config_service_mojo_unittest.cc",

services/network/network_context.cc

@@ -228,11 +228,13 @@ class NetworkContext::ContextNetworkDelegate
   ContextNetworkDelegate(
       std::unique_ptr<net::NetworkDelegate> nested_network_delegate,
       bool enable_referrers,
-      bool validate_referrer_policy_on_initial_request)
+      bool validate_referrer_policy_on_initial_request,
+      NetworkContext* network_context)
       : LayeredNetworkDelegate(std::move(nested_network_delegate)),
         enable_referrers_(enable_referrers),
         validate_referrer_policy_on_initial_request_(
-            validate_referrer_policy_on_initial_request) {}
+            validate_referrer_policy_on_initial_request),
+        network_context_(network_context) {}
 
   ~ContextNetworkDelegate() override {}
 
@@ -287,6 +289,35 @@ class NetworkContext::ContextNetworkDelegate
     return true;
   }
 
+  bool OnCanGetCookiesInternal(const net::URLRequest& request,
+                               const net::CookieList& cookie_list,
+                               bool allowed_from_caller) override {
+    return allowed_from_caller &&
+           network_context_->cookie_manager()
+               ->cookie_settings()
+               .IsCookieAccessAllowed(request.url(),
+                                      request.site_for_cookies());
+  }
+
+  bool OnCanSetCookieInternal(const net::URLRequest& request,
+                              const net::CanonicalCookie& cookie,
+                              net::CookieOptions* options,
+                              bool allowed_from_caller) override {
+    return allowed_from_caller &&
+           network_context_->cookie_manager()
+               ->cookie_settings()
+               .IsCookieAccessAllowed(request.url(),
+                                      request.site_for_cookies());
+  }
+
+  bool OnCanEnablePrivacyModeInternal(
+      const GURL& url,
+      const GURL& site_for_cookies) const override {
+    return !network_context_->cookie_manager()
+                ->cookie_settings()
+                .IsCookieAccessAllowed(url, site_for_cookies);
+  }
+
   void set_enable_referrers(bool enable_referrers) {
     enable_referrers_ = enable_referrers;
   }
@@ -294,6 +325,7 @@ class NetworkContext::ContextNetworkDelegate
  private:
   bool enable_referrers_;
   bool validate_referrer_policy_on_initial_request_;
+  NetworkContext* network_context_;
 
   DISALLOW_COPY_AND_ASSIGN(ContextNetworkDelegate);
 };
@@ -909,6 +941,7 @@ URLRequestContextOwner NetworkContext::ApplyContextParamsToBuilder(
   builder->SetCreateLayeredNetworkDelegateCallback(base::BindOnce(
       [](mojom::NetworkContextParams* network_context_params,
          ContextNetworkDelegate** out_context_network_delegate,
+         NetworkContext* network_context,
          std::unique_ptr<net::NetworkDelegate> nested_network_delegate)
           -> std::unique_ptr<net::NetworkDelegate> {
         std::unique_ptr<ContextNetworkDelegate> context_network_delegate =
@@ -916,12 +949,13 @@ URLRequestContextOwner NetworkContext::ApplyContextParamsToBuilder(
                 std::move(nested_network_delegate),
                 network_context_params->enable_referrers,
                 network_context_params
-                    ->validate_referrer_policy_on_initial_request);
+                    ->validate_referrer_policy_on_initial_request,
+                network_context);
         if (out_context_network_delegate)
           *out_context_network_delegate = context_network_delegate.get();
         return context_network_delegate;
       },
-      params_.get(), &context_network_delegate_));
+      params_.get(), &context_network_delegate_, this));
 
   std::vector<scoped_refptr<const net::CTLogVerifier>> ct_logs;
   if (!params_->ct_logs.empty()) {

services/network/network_context_unittest.cc

@@ -95,6 +95,9 @@ namespace network {
 
 namespace {
 
+const GURL kURL("http://foo.com");
+const GURL kOtherURL("http://other.com");
+
 // Sends an HttpResponse for requests for "/" that result in sending an HPKP
 // report.  Ignores other paths to avoid catching the subsequent favicon
 // request.
@@ -125,6 +128,26 @@ mojom::NetworkContextParamsPtr CreateContextParams() {
   return params;
 }
 
+void SetContentSetting(const GURL& primary_pattern,
+                       const GURL& secondary_pattern,
+                       ContentSetting setting,
+                       NetworkContext* network_context) {
+  network_context->cookie_manager()->SetContentSettings(
+      {ContentSettingPatternSource(
+          ContentSettingsPattern::FromURL(primary_pattern),
+          ContentSettingsPattern::FromURL(secondary_pattern),
+          base::Value(setting), std::string(), false)});
+}
+
+void SetDefaultContentSetting(ContentSetting setting,
+                              NetworkContext* network_context) {
+  network_context->cookie_manager()->SetContentSettings(
+      {ContentSettingPatternSource(ContentSettingsPattern::Wildcard(),
+                                   ContentSettingsPattern::Wildcard(),
+                                   base::Value(setting), std::string(),
+                                   false)});
+}
+
 class NetworkContextTest : public testing::Test,
                            public net::SSLConfigService::Observer {
  public:
@@ -2282,6 +2305,133 @@ TEST_F(NetworkContextTest, DestroyNetLogExporterWhileCreatingScratchDir) {
   base::DeleteFile(temp_path, false);
 }
 
+TEST_F(NetworkContextTest, PrivacyModeDisabledByDefault) {
+  std::unique_ptr<NetworkContext> network_context =
+      CreateContextWithParams(CreateContextParams());
+
+  EXPECT_FALSE(network_context->url_request_context()
+                   ->network_delegate()
+                   ->CanEnablePrivacyMode(kURL, kOtherURL));
+}
+
+TEST_F(NetworkContextTest, PrivacyModeEnabledIfCookiesBlocked) {
+  std::unique_ptr<NetworkContext> network_context =
+      CreateContextWithParams(CreateContextParams());
+
+  SetContentSetting(kURL, kOtherURL, CONTENT_SETTING_BLOCK,
+                    network_context.get());
+  EXPECT_TRUE(network_context->url_request_context()
+                  ->network_delegate()
+                  ->CanEnablePrivacyMode(kURL, kOtherURL));
+  EXPECT_FALSE(network_context->url_request_context()
+                   ->network_delegate()
+                   ->CanEnablePrivacyMode(kOtherURL, kURL));
+}
+
+TEST_F(NetworkContextTest, PrivacyModeDisabledIfCookiesAllowed) {
+  std::unique_ptr<NetworkContext> network_context =
+      CreateContextWithParams(CreateContextParams());
+
+  SetContentSetting(kURL, kOtherURL, CONTENT_SETTING_ALLOW,
+                    network_context.get());
+  EXPECT_FALSE(network_context->url_request_context()
+                   ->network_delegate()
+                   ->CanEnablePrivacyMode(kURL, kOtherURL));
+}
+
+TEST_F(NetworkContextTest, PrivacyModeDisabledIfCookiesSettingForOtherURL) {
+  std::unique_ptr<NetworkContext> network_context =
+      CreateContextWithParams(CreateContextParams());
+
+  // URLs are switched so setting should not apply.
+  SetContentSetting(kOtherURL, kURL, CONTENT_SETTING_BLOCK,
+                    network_context.get());
+  EXPECT_FALSE(network_context->url_request_context()
+                   ->network_delegate()
+                   ->CanEnablePrivacyMode(kURL, kOtherURL));
+}
+
+TEST_F(NetworkContextTest, PrivacyModeEnabledIfThirdPartyCookiesBlocked) {
+  std::unique_ptr<NetworkContext> network_context =
+      CreateContextWithParams(CreateContextParams());
+  net::NetworkDelegate* delegate =
+      network_context->url_request_context()->network_delegate();
+
+  network_context->cookie_manager()->BlockThirdPartyCookies(true);
+  EXPECT_TRUE(delegate->CanEnablePrivacyMode(kURL, kOtherURL));
+  EXPECT_FALSE(delegate->CanEnablePrivacyMode(kURL, kURL));
+
+  network_context->cookie_manager()->BlockThirdPartyCookies(false);
+  EXPECT_FALSE(delegate->CanEnablePrivacyMode(kURL, kOtherURL));
+  EXPECT_FALSE(delegate->CanEnablePrivacyMode(kURL, kURL));
+}
+
+TEST_F(NetworkContextTest, CanSetCookieFalseIfCookiesBlocked) {
+  std::unique_ptr<NetworkContext> network_context =
+      CreateContextWithParams(CreateContextParams());
+  net::URLRequestContext context;
+  std::unique_ptr<net::URLRequest> request = context.CreateRequest(
+      kURL, net::DEFAULT_PRIORITY, nullptr, TRAFFIC_ANNOTATION_FOR_TESTS);
+  net::CanonicalCookie cookie("TestCookie", "1", "www.test.com", "/",
+                              base::Time(), base::Time(), base::Time(), false,
+                              false, net::CookieSameSite::NO_RESTRICTION,
+                              net::COOKIE_PRIORITY_LOW);
+
+  EXPECT_TRUE(
+      network_context->url_request_context()->network_delegate()->CanSetCookie(
+          *request, cookie, nullptr, true));
+  SetDefaultContentSetting(CONTENT_SETTING_BLOCK, network_context.get());
+  EXPECT_FALSE(
+      network_context->url_request_context()->network_delegate()->CanSetCookie(
+          *request, cookie, nullptr, true));
+}
+
+TEST_F(NetworkContextTest, CanSetCookieTrueIfCookiesAllowed) {
+  std::unique_ptr<NetworkContext> network_context =
+      CreateContextWithParams(CreateContextParams());
+  net::URLRequestContext context;
+  std::unique_ptr<net::URLRequest> request = context.CreateRequest(
+      kURL, net::DEFAULT_PRIORITY, nullptr, TRAFFIC_ANNOTATION_FOR_TESTS);
+  net::CanonicalCookie cookie("TestCookie", "1", "www.test.com", "/",
+                              base::Time(), base::Time(), base::Time(), false,
+                              false, net::CookieSameSite::NO_RESTRICTION,
+                              net::COOKIE_PRIORITY_LOW);
+
+  SetDefaultContentSetting(CONTENT_SETTING_ALLOW, network_context.get());
+  EXPECT_TRUE(
+      network_context->url_request_context()->network_delegate()->CanSetCookie(
+          *request, cookie, nullptr, true));
+}
+
+TEST_F(NetworkContextTest, CanGetCookiesFalseIfCookiesBlocked) {
+  std::unique_ptr<NetworkContext> network_context =
+      CreateContextWithParams(CreateContextParams());
+  net::URLRequestContext context;
+  std::unique_ptr<net::URLRequest> request = context.CreateRequest(
+      kURL, net::DEFAULT_PRIORITY, nullptr, TRAFFIC_ANNOTATION_FOR_TESTS);
+
+  EXPECT_TRUE(
+      network_context->url_request_context()->network_delegate()->CanGetCookies(
+          *request, {}, true));
+  SetDefaultContentSetting(CONTENT_SETTING_BLOCK, network_context.get());
+  EXPECT_FALSE(
+      network_context->url_request_context()->network_delegate()->CanGetCookies(
+          *request, {}, true));
+}
+
+TEST_F(NetworkContextTest, CanGetCookiesTrueIfCookiesAllowed) {
+  std::unique_ptr<NetworkContext> network_context =
+      CreateContextWithParams(CreateContextParams());
+  net::URLRequestContext context;
+  std::unique_ptr<net::URLRequest> request = context.CreateRequest(
+      kURL, net::DEFAULT_PRIORITY, nullptr, TRAFFIC_ANNOTATION_FOR_TESTS);
+
+  SetDefaultContentSetting(CONTENT_SETTING_ALLOW, network_context.get());
+  EXPECT_TRUE(
+      network_context->url_request_context()->network_delegate()->CanGetCookies(
+          *request, {}, true));
+}
+
 }  // namespace
 
 }  // namespace network

services/network/network_service_network_delegate.cc

@@ -16,35 +16,31 @@ NetworkServiceNetworkDelegate::NetworkServiceNetworkDelegate(
 
 bool NetworkServiceNetworkDelegate::OnCanGetCookies(
     const net::URLRequest& request,
-    const net::CookieList& cookie_list) {
-  bool allow =
-      network_context_->cookie_manager()
-          ->cookie_settings()
-          .IsCookieAccessAllowed(request.url(), request.site_for_cookies());
+    const net::CookieList& cookie_list,
+    bool allowed_from_caller) {
   URLLoader* url_loader = URLLoader::ForRequest(request);
   if (url_loader) {
     network_context_->network_service()->client()->OnCookiesRead(
         url_loader->GetProcessId(), url_loader->GetRenderFrameId(),
-        request.url(), request.site_for_cookies(), cookie_list, !allow);
+        request.url(), request.site_for_cookies(), cookie_list,
+        !allowed_from_caller);
   }
-  return allow;
+  return allowed_from_caller;
 }
 
 bool NetworkServiceNetworkDelegate::OnCanSetCookie(
     const net::URLRequest& request,
     const net::CanonicalCookie& cookie,
-    net::CookieOptions* options) {
-  bool allow =
-      network_context_->cookie_manager()
-          ->cookie_settings()
-          .IsCookieAccessAllowed(request.url(), request.site_for_cookies());
+    net::CookieOptions* options,
+    bool allowed_from_caller) {
   URLLoader* url_loader = URLLoader::ForRequest(request);
   if (url_loader) {
     network_context_->network_service()->client()->OnCookieChange(
         url_loader->GetProcessId(), url_loader->GetRenderFrameId(),
-        request.url(), request.site_for_cookies(), cookie, !allow);
+        request.url(), request.site_for_cookies(), cookie,
+        !allowed_from_caller);
   }
-  return allow;
+  return allowed_from_caller;
 }
 
 bool NetworkServiceNetworkDelegate::OnCanAccessFile(
@@ -56,12 +52,4 @@ bool NetworkServiceNetworkDelegate::OnCanAccessFile(
   return true;
 }
 
-bool NetworkServiceNetworkDelegate::OnCanEnablePrivacyMode(
-    const GURL& url,
-    const GURL& site_for_cookies) const {
-  return !network_context_->cookie_manager()
-              ->cookie_settings()
-              .IsCookieAccessAllowed(url, site_for_cookies);
-}
-
 }  // namespace network

services/network/network_service_network_delegate.h

@@ -22,15 +22,15 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) NetworkServiceNetworkDelegate
  private:
   // net::NetworkDelegateImpl implementation.
   bool OnCanGetCookies(const net::URLRequest& request,
-                       const net::CookieList& cookie_list) override;
+                       const net::CookieList& cookie_list,
+                       bool allowed_from_caller) override;
   bool OnCanSetCookie(const net::URLRequest& request,
                       const net::CanonicalCookie& cookie,
-                      net::CookieOptions* options) override;
+                      net::CookieOptions* options,
+                      bool allowed_from_caller) override;
   bool OnCanAccessFile(const net::URLRequest& request,
                        const base::FilePath& original_path,
                        const base::FilePath& absolute_path) const override;
-  bool OnCanEnablePrivacyMode(const GURL& url,
-                              const GURL& site_for_cookies) const override;
 
   NetworkContext* network_context_;
 

services/network/network_service_network_delegate_unittest.cc

-// Copyright 2018 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "services/network/network_service_network_delegate.h"
-
-#include "base/test/scoped_task_environment.h"
-#include "services/network/network_context.h"
-#include "services/network/network_service.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-namespace network {
-namespace {
-
-const GURL kURL("http://foo.com");
-const GURL kOtherURL("http://other.com");
-
-class NetworkServiceNetworkDelegateTest : public testing::Test {
- public:
-  NetworkServiceNetworkDelegateTest()
-      : network_service_(NetworkService::CreateForTesting()) {
-    mojom::NetworkContextPtr network_context_ptr;
-    network_context_ = std::make_unique<NetworkContext>(
-        network_service_.get(), mojo::MakeRequest(&network_context_ptr),
-        mojom::NetworkContextParams::New());
-  }
-
-  void SetContentSetting(const GURL& primary_pattern,
-                         const GURL& secondary_pattern,
-                         ContentSetting setting) {
-    network_context_->cookie_manager()->SetContentSettings(
-        {ContentSettingPatternSource(
-            ContentSettingsPattern::FromURL(primary_pattern),
-            ContentSettingsPattern::FromURL(secondary_pattern),
-            base::Value(setting), std::string(), false)});
-  }
-
-  void SetBlockThirdParty(bool block) {
-    network_context_->cookie_manager()->BlockThirdPartyCookies(block);
-  }
-
-  NetworkContext* network_context() const { return network_context_.get(); }
-
- private:
-  base::test::ScopedTaskEnvironment scoped_task_environment_;
-  std::unique_ptr<NetworkService> network_service_;
-  std::unique_ptr<NetworkContext> network_context_;
-};
-
-TEST_F(NetworkServiceNetworkDelegateTest, PrivacyModeDisabledByDefault) {
-  NetworkServiceNetworkDelegate delegate(network_context());
-
-  EXPECT_FALSE(delegate.CanEnablePrivacyMode(kURL, kOtherURL));
-}
-
-TEST_F(NetworkServiceNetworkDelegateTest, PrivacyModeEnabledIfCookiesBlocked) {
-  NetworkServiceNetworkDelegate delegate(network_context());
-
-  SetContentSetting(kURL, kOtherURL, CONTENT_SETTING_BLOCK);
-  EXPECT_TRUE(delegate.CanEnablePrivacyMode(kURL, kOtherURL));
-}
-
-TEST_F(NetworkServiceNetworkDelegateTest, PrivacyModeDisabledIfCookiesAllowed) {
-  NetworkServiceNetworkDelegate delegate(network_context());
-
-  SetContentSetting(kURL, kOtherURL, CONTENT_SETTING_ALLOW);
-  EXPECT_FALSE(delegate.CanEnablePrivacyMode(kURL, kOtherURL));
-}
-
-TEST_F(NetworkServiceNetworkDelegateTest,
-       PrivacyModeDisabledIfCookiesSettingForOtherURL) {
-  NetworkServiceNetworkDelegate delegate(network_context());
-
-  // URLs are switched so setting should not apply.
-  SetContentSetting(kOtherURL, kURL, CONTENT_SETTING_BLOCK);
-  EXPECT_FALSE(delegate.CanEnablePrivacyMode(kURL, kOtherURL));
-}
-
-TEST_F(NetworkServiceNetworkDelegateTest,
-       PrivacyModeEnabledIfThirdPartyCookiesBlocked) {
-  NetworkServiceNetworkDelegate delegate(network_context());
-
-  SetBlockThirdParty(true);
-  EXPECT_TRUE(delegate.CanEnablePrivacyMode(kURL, kOtherURL));
-  EXPECT_FALSE(delegate.CanEnablePrivacyMode(kURL, kURL));
-
-  SetBlockThirdParty(false);
-  EXPECT_FALSE(delegate.CanEnablePrivacyMode(kURL, kOtherURL));
-  EXPECT_FALSE(delegate.CanEnablePrivacyMode(kURL, kURL));
-}
-
-}  // namespace
-}  // namespace network