I think <a download> just doesn't set the origin, just the referrer.  It predates browser-side origin tracking.

mkwst: a[download] should behave the same as a top level navigation. Should the initiator be the document origin or unique?

The initiator should be the origin of the document that triggers the download. That is, `<a download href="https://example.com/sekrit-data">Secrets!</a>` should send `SameSite=Strict` cookies when initiated from `example.com` only, and should send `SameSite=Lax` cookies in all cases.

Based on the test you submitted in https://codereview.chromium.org/2561903002, it looks like we're not setting the initiator correctly.

Yup. We aren't setting the initiator at all.

I saw the comment at https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/loader/FrameLoadRequest.cpp?rcl=1481271738&l=88 and wanted to clarify what we should do here. I'll update the code.

Note that we only hit that block if |originDocument| doesn't exist. That is, this is what we do when there's no document in the top-level that we're navigating to, and there's no opener document (e.g. the user typed something into the omnibox). Since there's no initiator at all, we currently set the initiator to the URL that we're requesting in order to ensure that SameSite cookies are delivered. I think the plan is to replace that with `nullptr` (which should actually be possible now that //content treats the initiator as `base::Optional`).

For the download case, we should know what page initiated the request, and should set the attribute accordingly.

(Thank you for taking this on! Happy to review a patch. :) )

https://codereview.chromium.org/2561903002

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e6567ba989cbfd9780e0a5cdff960a3ae903b0ad

commit e6567ba989cbfd9780e0a5cdff960a3ae903b0ad
Author: asanka <asanka@chromium.org>
Date: Fri Dec 16 17:36:01 2016

[downloads] Set initiator when handling downloads via a[download]

Downloads initiated via clicking on an anchor with a 'download'
attribute should behave the same way with regard to cookie handling as a
download initiated via a top level navigation.

This CL adds logic to set the initiator origin for URLRequests initiated
in response to such downloads so that the handling of SameSite cookies
follows suit with top level navigations.

R=mkwst@chromium.org, clamy@chromium.org
BUG= 648043 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation

Review-Url: https://codereview.chromium.org/2561903002
Cr-Commit-Position: refs/heads/master@{#439137}

[modify] https://crrev.com/e6567ba989cbfd9780e0a5cdff960a3ae903b0ad/content/browser/download/download_browsertest.cc
[modify] https://crrev.com/e6567ba989cbfd9780e0a5cdff960a3ae903b0ad/content/browser/download/download_request_core.cc
[modify] https://crrev.com/e6567ba989cbfd9780e0a5cdff960a3ae903b0ad/content/browser/frame_host/render_frame_message_filter.cc
[modify] https://crrev.com/e6567ba989cbfd9780e0a5cdff960a3ae903b0ad/content/browser/frame_host/render_frame_message_filter.h
[modify] https://crrev.com/e6567ba989cbfd9780e0a5cdff960a3ae903b0ad/content/browser/renderer_host/render_view_host_unittest.cc
[modify] https://crrev.com/e6567ba989cbfd9780e0a5cdff960a3ae903b0ad/content/common/frame_messages.h
[modify] https://crrev.com/e6567ba989cbfd9780e0a5cdff960a3ae903b0ad/content/public/browser/download_url_parameters.h
[modify] https://crrev.com/e6567ba989cbfd9780e0a5cdff960a3ae903b0ad/content/renderer/render_frame_impl.cc
[add] https://crrev.com/e6567ba989cbfd9780e0a5cdff960a3ae903b0ad/content/test/data/download/download-attribute-same-site-cookie.html
[add] https://crrev.com/e6567ba989cbfd9780e0a5cdff960a3ae903b0ad/content/test/data/download/download-attribute-same-site-cookie.html.mock-http-headers
[modify] https://crrev.com/e6567ba989cbfd9780e0a5cdff960a3ae903b0ad/third_party/WebKit/Source/core/html/HTMLAnchorElement.cpp