UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Example URL:

Steps to reproduce the problem:
1. Disable third-party cookies in user preferences. This can be done by going to settings -> advanced settings -> Privacy -> Content settings... and checking "Block third-party cookies and data"

2. View a page that is running in a CSP (Content-Security-Policy) sandbox. Observe that request to the same domain do not have cookies.

Here is a PoC to demonstrate the issue.

index.php:
    <?php
        header("Content-Security-Policy: sandbox allow-scripts");
        header("Set-Cookie: foo=bar; path=/");
    ?><!DOCTYPE html>
    <img src="img.php">

img.php:
  <?php
    header("Content-Type: image/svg+xml");
  ?>
  <svg xmlns="http://www.w3.org/2000/svg" width="300px" height="300px">
    <text x='60' y='250' fill='blue'>cookie:
      "<?php 
        echo htmlspecialchars($_SERVER['HTTP_COOKIE']); 
      ?>"
    </text>
  </svg>

What is the expected behavior?
Only cookies for third-party domains should be blocked. Same-domain cookies should be allowed.

What went wrong?
Chrome appears to use the synthesized origin "null" when determining the first party origin for the purpose of cookie policy. This has the effect of blocking cookies on all requests on the page, which is not the intent of the policy. Chrome should permit cookies same-domain requests.

Does it occur on multiple sites: N/A

Is it a problem with a plugin? N/A 

Did this work before? No 

Does this work in other browsers? N/A 

Chrome version: 52.0.2743.116  Channel: stable
OS Version: 
Flash Version: Shockwave Flash 22.0 r0