Add IsolationInfo to certificate fetches.

This sets it to be based on the URL being fetched. This does not address
any cross-site tracking concerns around the cert fetches themselves, but
is instead aimed at letting us DCHECK that all URLRequests have a
non-empty IsolationInfo, to help us catch any other places that are
potentially leaking information across sites.

Bug: 1082280
Change-Id: Ie9b29b5f16b8c01dee23975e82d701d8f98e0489
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2198924Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Commit-Queue: Matt Menke <mmenke@chromium.org>
Cr-Commit-Position: refs/heads/master@{#768789}

net/cert_net/cert_net_fetcher_url_request.cc

@@ -71,11 +71,14 @@
 #include "base/synchronization/waitable_event.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "base/timer/timer.h"
+#include "net/base/isolation_info.h"
 #include "net/base/load_flags.h"
 #include "net/cert/cert_net_fetcher.h"
+#include "net/cookies/site_for_cookies.h"
 #include "net/traffic_annotation/network_traffic_annotation.h"
 #include "net/url_request/redirect_info.h"
 #include "net/url_request/url_request_context.h"
+#include "url/origin.h"
 
 // TODO(eroman): Add support for POST parameters.
 // TODO(eroman): Add controls for bypassing the cache.
@@ -469,9 +472,9 @@ void Job::StartURLRequest(URLRequestContext* context) {
 
   // Start the URLRequest.
   read_buffer_ = base::MakeRefCounted<IOBuffer>(kReadBufferSizeInBytes);
-  net::NetworkTrafficAnnotationTag traffic_annotation =
-      net::DefineNetworkTrafficAnnotation("certificate_verifier_url_request",
-                                          R"(
+  NetworkTrafficAnnotationTag traffic_annotation =
+      DefineNetworkTrafficAnnotation("certificate_verifier_url_request",
+                                     R"(
         semantics {
           sender: "Certificate Verifier"
           description:
@@ -506,9 +509,24 @@ void Job::StartURLRequest(URLRequestContext* context) {
   if (request_params_->http_method == HTTP_METHOD_POST)
     url_request_->set_method("POST");
   url_request_->set_allow_credentials(false);
+
   // Disable secure DNS for hostname lookups triggered by certificate network
   // fetches to prevent deadlock.
   url_request_->SetDisableSecureDns(true);
+
+  // Create IsolationInfo based on the origin of the requested URL.
+  // TODO(https://crbug.com/1016890): Cert validation needs to either be
+  // double-keyed or based on a static database, to protect it from being used
+  // as a cross-site user tracking vector. For now, just treat it as if it were
+  // a subresource request of the origin used for the request. This allows the
+  // result to still be cached in the HTTP cache, and lets URLRequest DCHECK
+  // that all requests have non-empty IsolationInfos.
+  url::Origin origin = url::Origin::Create(request_params_->url);
+  url_request_->set_isolation_info(
+      IsolationInfo::Create(IsolationInfo::RedirectMode::kUpdateNothing,
+                            origin /* top_frame_origin */,
+                            origin /* frame_origin */, SiteForCookies()));
+
   url_request_->Start();
 
   // Start a timer to limit how long the job runs for.