add NetworkIsolationPartition to IsolationInfo

Certain use cases require separate network state from other requests
with the same (top_frame_site, frame_site), but would like to access the
HTTPCache, so using a transient IsolationInfo is not sufficient.

The goal is to extend IsolationInfo,NetworkIsolationKey, and
NetworkAnonymizationKey to include an additional enum value called
NetworkIsolationPartition, creating a three-part key: (top_frame_origin,
frame_origin, network_isolation_partition).

This CL incorporates the enum into the IsolationInfo. Previous CLs
incorporated the enum into the NIK and NAK.

Bug: 396463430
Change-Id: Ic6e21e5e21d9e85394e8bfd4725d45765afb002c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6266263
Reviewed-by: Steven Bingler <bingler@chromium.org>
Commit-Queue: Abigail Katcoff <abigailkatcoff@chromium.org>
Reviewed-by: mmenke <mmenke@chromium.org>
Reviewed-by: Dominic Farolino <dom@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1424800}

net/BUILD.gn

@@ -3039,6 +3039,7 @@ target(_test_target_type, "net_unittests") {
 
   deps = [
     ":cronet_buildflags",
+    ":isolation_info_proto",
     ":net",
     ":preload_decoder",
     ":quic_test_tools",

net/base/isolation_info.cc

@@ -13,6 +13,7 @@
 #include "net/base/isolation_info.h"
 #include "net/base/isolation_info.pb.h"
 #include "net/base/network_anonymization_key.h"
+#include "net/base/network_isolation_partition.h"
 #include "net/base/proxy_server.h"
 
 namespace net {
@@ -95,7 +96,8 @@ IsolationInfo::IsolationInfo()
                     /*top_frame_origin=*/std::nullopt,
                     /*frame_origin=*/std::nullopt,
                     SiteForCookies(),
-                    /*nonce=*/std::nullopt) {}
+                    /*nonce=*/std::nullopt,
+                    NetworkIsolationPartition::kGeneral) {}
 
 IsolationInfo::IsolationInfo(const IsolationInfo&) = default;
 IsolationInfo::IsolationInfo(IsolationInfo&&) = default;
@@ -107,14 +109,16 @@ IsolationInfo IsolationInfo::CreateForInternalRequest(
     const url::Origin& top_frame_origin) {
   return IsolationInfo(RequestType::kOther, top_frame_origin, top_frame_origin,
                        SiteForCookies::FromOrigin(top_frame_origin),
-                       /*nonce=*/std::nullopt);
+                       /*nonce=*/std::nullopt,
+                       NetworkIsolationPartition::kGeneral);
 }
 
 IsolationInfo IsolationInfo::CreateTransient(
     const std::optional<base::UnguessableToken>& nonce) {
   url::Origin opaque_origin;
   return IsolationInfo(RequestType::kOther, opaque_origin, opaque_origin,
-                       SiteForCookies(), /*nonce=*/nonce);
+                       SiteForCookies(), /*nonce=*/nonce,
+                       NetworkIsolationPartition::kGeneral);
 }
 
 std::optional<IsolationInfo> IsolationInfo::Deserialize(
@@ -131,11 +135,23 @@ std::optional<IsolationInfo> IsolationInfo::Deserialize(
   if (proto.has_frame_origin())
     frame_origin = url::Origin::Create(GURL(proto.frame_origin()));
 
+  NetworkIsolationPartition network_isolation_partition =
+      NetworkIsolationPartition::kGeneral;
+  if (proto.has_network_isolation_partition()) {
+    if (proto.network_isolation_partition() >
+            static_cast<int32_t>(NetworkIsolationPartition::kMaxValue) ||
+        proto.network_isolation_partition() < 0) {
+      return std::nullopt;
+    }
+    network_isolation_partition = static_cast<NetworkIsolationPartition>(
+        proto.network_isolation_partition());
+  }
+
   return IsolationInfo::CreateIfConsistent(
       static_cast<RequestType>(proto.request_type()),
       std::move(top_frame_origin), std::move(frame_origin),
       SiteForCookies::FromUrl(GURL(proto.site_for_cookies())),
-      /*nonce=*/std::nullopt);
+      /*nonce=*/std::nullopt, network_isolation_partition);
 }
 
 IsolationInfo IsolationInfo::Create(
@@ -143,9 +159,10 @@ IsolationInfo IsolationInfo::Create(
     const url::Origin& top_frame_origin,
     const url::Origin& frame_origin,
     const SiteForCookies& site_for_cookies,
-    const std::optional<base::UnguessableToken>& nonce) {
+    const std::optional<base::UnguessableToken>& nonce,
+    NetworkIsolationPartition network_isolation_partition) {
   return IsolationInfo(request_type, top_frame_origin, frame_origin,
-                       site_for_cookies, nonce);
+                       site_for_cookies, nonce, network_isolation_partition);
 }
 
 IsolationInfo IsolationInfo::DoNotUseCreatePartialFromNak(
@@ -184,13 +201,14 @@ std::optional<IsolationInfo> IsolationInfo::CreateIfConsistent(
     const std::optional<url::Origin>& top_frame_origin,
     const std::optional<url::Origin>& frame_origin,
     const SiteForCookies& site_for_cookies,
-    const std::optional<base::UnguessableToken>& nonce) {
+    const std::optional<base::UnguessableToken>& nonce,
+    NetworkIsolationPartition network_isolation_partition) {
   if (!IsConsistent(request_type, top_frame_origin, frame_origin,
                     site_for_cookies, nonce)) {
     return std::nullopt;
   }
   return IsolationInfo(request_type, top_frame_origin, frame_origin,
-                       site_for_cookies, nonce);
+                       site_for_cookies, nonce, network_isolation_partition);
 }
 
 IsolationInfo IsolationInfo::CreateForRedirect(
@@ -200,12 +218,14 @@ IsolationInfo IsolationInfo::CreateForRedirect(
 
   if (request_type_ == RequestType::kSubFrame) {
     return IsolationInfo(request_type_, top_frame_origin_, new_origin,
-                         site_for_cookies_, nonce_);
+                         site_for_cookies_, nonce_,
+                         GetNetworkIsolationPartition());
   }
 
   DCHECK_EQ(RequestType::kMainFrame, request_type_);
   return IsolationInfo(request_type_, new_origin, new_origin,
-                       SiteForCookies::FromOrigin(new_origin), nonce_);
+                       SiteForCookies::FromOrigin(new_origin), nonce_,
+                       GetNetworkIsolationPartition());
 }
 
 const std::optional<url::Origin>& IsolationInfo::frame_origin() const {
@@ -236,6 +256,13 @@ std::string IsolationInfo::Serialize() const {
   if (frame_origin_)
     info.set_frame_origin(frame_origin_->Serialize());
 
+  // The NetworkIsolationPartition defaults to kGeneral if not present in
+  // the protobuf.
+  if (GetNetworkIsolationPartition() != NetworkIsolationPartition::kGeneral) {
+    info.set_network_isolation_partition(
+        static_cast<int32_t>(GetNetworkIsolationPartition()));
+  }
+
   info.set_site_for_cookies(site_for_cookies_.RepresentativeUrl().spec());
 
   return info.SerializeAsString();
@@ -289,11 +316,13 @@ std::string IsolationInfo::DebugString() const {
   return s;
 }
 
-IsolationInfo::IsolationInfo(RequestType request_type,
+IsolationInfo::IsolationInfo(
-                             const std::optional<url::Origin>& top_frame_origin,
+    RequestType request_type,
-                             const std::optional<url::Origin>& frame_origin,
+    const std::optional<url::Origin>& top_frame_origin,
-                             const SiteForCookies& site_for_cookies,
+    const std::optional<url::Origin>& frame_origin,
-                             const std::optional<base::UnguessableToken>& nonce)
+    const SiteForCookies& site_for_cookies,
+    const std::optional<base::UnguessableToken>& nonce,
+    NetworkIsolationPartition network_isolation_partition)
     : request_type_(request_type),
       top_frame_origin_(top_frame_origin),
       frame_origin_(frame_origin),
@@ -302,13 +331,15 @@ IsolationInfo::IsolationInfo(RequestType request_type,
               ? NetworkIsolationKey()
               : NetworkIsolationKey(SchemefulSite(*top_frame_origin),
                                     SchemefulSite(*frame_origin),
-                                    nonce)),
+                                    nonce,
+                                    network_isolation_partition)),
       network_anonymization_key_(
           !top_frame_origin ? NetworkAnonymizationKey()
                             : NetworkAnonymizationKey::CreateFromFrameSite(
                                   SchemefulSite(*top_frame_origin),
                                   SchemefulSite(*frame_origin),
-                                  nonce)),
+                                  nonce,
+                                  network_isolation_partition)),
       site_for_cookies_(site_for_cookies),
       nonce_(nonce) {
   DCHECK(IsConsistent(request_type_, top_frame_origin_, frame_origin_,

net/base/isolation_info.h

@@ -13,6 +13,7 @@
 #include "net/base/net_export.h"
 #include "net/base/network_anonymization_key.h"
 #include "net/base/network_isolation_key.h"
+#include "net/base/network_isolation_partition.h"
 #include "net/cookies/site_for_cookies.h"
 #include "url/origin.h"
 
@@ -150,7 +151,9 @@ class NET_EXPORT IsolationInfo {
       const url::Origin& top_frame_origin,
       const url::Origin& frame_origin,
       const SiteForCookies& site_for_cookies,
-      const std::optional<base::UnguessableToken>& nonce = std::nullopt);
+      const std::optional<base::UnguessableToken>& nonce = std::nullopt,
+      NetworkIsolationPartition network_isolation_partition =
+          NetworkIsolationPartition::kGeneral);
 
   // TODO(crbug.com/344943210): Remove this and create a safer way to ensure
   // NIKs created from NAKs aren't used by accident.
@@ -168,7 +171,9 @@ class NET_EXPORT IsolationInfo {
       const std::optional<url::Origin>& top_frame_origin,
       const std::optional<url::Origin>& frame_origin,
       const SiteForCookies& site_for_cookies,
-      const std::optional<base::UnguessableToken>& nonce = std::nullopt);
+      const std::optional<base::UnguessableToken>& nonce = std::nullopt,
+      NetworkIsolationPartition network_isolation_partition =
+          NetworkIsolationPartition::kGeneral);
 
   // Create a new IsolationInfo for a redirect to the supplied origin. |this| is
   // unmodified.
@@ -209,6 +214,10 @@ class NET_EXPORT IsolationInfo {
 
   const std::optional<base::UnguessableToken>& nonce() const { return nonce_; }
 
+  NetworkIsolationPartition GetNetworkIsolationPartition() const {
+    return network_isolation_key_.GetNetworkIsolationPartition();
+  }
+
   // The value that should be consulted for the third-party cookie blocking
   // policy, as defined in Section 2.1.1 and 2.1.2 of
   // https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site.
@@ -230,7 +239,8 @@ class NET_EXPORT IsolationInfo {
                 const std::optional<url::Origin>& top_frame_origin,
                 const std::optional<url::Origin>& frame_origin,
                 const SiteForCookies& site_for_cookies,
-                const std::optional<base::UnguessableToken>& nonce);
+                const std::optional<base::UnguessableToken>& nonce,
+                NetworkIsolationPartition network_isolation_partition);
 
   RequestType request_type_;
 

net/base/isolation_info.proto

@@ -13,6 +13,8 @@ message IsolationInfo {
   optional string top_frame_origin = 2;
   optional string frame_origin = 3;
   optional string site_for_cookies = 4;
+  optional int32 network_isolation_partition =
+      6;  // net::NetworkIsolationPartition. Defaults to kGeneral.
 
   reserved 5;
   reserved "party_context";

net/base/isolation_info_unittest.cc

@@ -11,10 +11,11 @@
 #include "base/test/gtest_util.h"
 #include "base/test/scoped_feature_list.h"
 #include "base/unguessable_token.h"
-#include "isolation_info.h"
 #include "net/base/features.h"
+#include "net/base/isolation_info.pb.h"
 #include "net/base/network_anonymization_key.h"
 #include "net/base/network_isolation_key.h"
+#include "net/base/network_isolation_partition.h"
 #include "net/base/schemeful_site.h"
 #include "net/cookies/site_for_cookies.h"
 #include "testing/gtest/include/gtest/gtest.h"
@@ -44,7 +45,8 @@ void DuplicateAndCompare(const IsolationInfo& isolation_info) {
       IsolationInfo::CreateIfConsistent(
           isolation_info.request_type(), isolation_info.top_frame_origin(),
           isolation_info.frame_origin(), isolation_info.site_for_cookies(),
-          isolation_info.nonce());
+          isolation_info.nonce(),
+          isolation_info.GetNetworkIsolationPartition());
 
   ASSERT_TRUE(duplicate_isolation_info);
   EXPECT_TRUE(isolation_info.IsEqualForTesting(*duplicate_isolation_info));
@@ -191,6 +193,64 @@ TEST_F(IsolationInfoTest, RequestTypeMainFrameWithNonce) {
   EXPECT_FALSE(redirected_isolation_info.IsOutermostMainFrameRequest());
 }
 
+TEST_F(IsolationInfoTest,
+       RequestTypeMainFrameWithNonGeneralNetworkIsolationPartition) {
+  IsolationInfo isolation_info = IsolationInfo::Create(
+      IsolationInfo::RequestType::kMainFrame, kOrigin1, kOrigin1,
+      SiteForCookies::FromOrigin(kOrigin1), /*nonce=*/std::nullopt,
+      NetworkIsolationPartition::kProtectedAudienceSellerWorklet);
+  EXPECT_EQ(IsolationInfo::RequestType::kMainFrame,
+            isolation_info.request_type());
+  EXPECT_EQ(kOrigin1, isolation_info.top_frame_origin());
+  EXPECT_EQ(kOrigin1, isolation_info.frame_origin());
+  EXPECT_EQ(NetworkIsolationPartition::kProtectedAudienceSellerWorklet,
+            isolation_info.GetNetworkIsolationPartition());
+  EXPECT_EQ(
+      NetworkIsolationPartition::kProtectedAudienceSellerWorklet,
+      isolation_info.network_anonymization_key().network_isolation_partition());
+  EXPECT_EQ(
+      NetworkIsolationPartition::kProtectedAudienceSellerWorklet,
+      isolation_info.network_isolation_key().GetNetworkIsolationPartition());
+  EXPECT_EQ("https://foo.test https://foo.test 1",
+            isolation_info.network_isolation_key().ToCacheKeyString());
+  EXPECT_TRUE(isolation_info.network_isolation_key().IsFullyPopulated());
+  EXPECT_FALSE(isolation_info.network_isolation_key().IsTransient());
+  EXPECT_TRUE(
+      isolation_info.site_for_cookies().IsFirstParty(kOrigin1.GetURL()));
+  EXPECT_FALSE(isolation_info.nonce().has_value());
+  EXPECT_TRUE(isolation_info.IsMainFrameRequest());
+  EXPECT_TRUE(isolation_info.IsOutermostMainFrameRequest());
+
+  DuplicateAndCompare(isolation_info);
+
+  IsolationInfo redirected_isolation_info =
+      isolation_info.CreateForRedirect(kOrigin3);
+  EXPECT_EQ(IsolationInfo::RequestType::kMainFrame,
+            redirected_isolation_info.request_type());
+  EXPECT_EQ(kOrigin3, redirected_isolation_info.top_frame_origin());
+  EXPECT_EQ(kOrigin3, redirected_isolation_info.frame_origin());
+  EXPECT_EQ(NetworkIsolationPartition::kProtectedAudienceSellerWorklet,
+            redirected_isolation_info.GetNetworkIsolationPartition());
+  EXPECT_EQ(NetworkIsolationPartition::kProtectedAudienceSellerWorklet,
+            redirected_isolation_info.network_anonymization_key()
+                .network_isolation_partition());
+  EXPECT_EQ(NetworkIsolationPartition::kProtectedAudienceSellerWorklet,
+            redirected_isolation_info.network_isolation_key()
+                .GetNetworkIsolationPartition());
+  EXPECT_TRUE(
+      redirected_isolation_info.network_isolation_key().IsFullyPopulated());
+  EXPECT_FALSE(redirected_isolation_info.network_isolation_key().IsTransient());
+  EXPECT_EQ(
+      "https://baz.test https://baz.test 1",
+      redirected_isolation_info.network_isolation_key().ToCacheKeyString());
+
+  EXPECT_TRUE(redirected_isolation_info.site_for_cookies().IsFirstParty(
+      kOrigin3.GetURL()));
+  EXPECT_FALSE(redirected_isolation_info.nonce().has_value());
+  EXPECT_TRUE(redirected_isolation_info.IsMainFrameRequest());
+  EXPECT_TRUE(redirected_isolation_info.IsOutermostMainFrameRequest());
+}
+
 TEST_F(IsolationInfoTest, RequestTypeSubFrameWithNonce) {
   IsolationInfo isolation_info = IsolationInfo::Create(
       IsolationInfo::RequestType::kSubFrame, kOrigin1, kOrigin2,
@@ -488,6 +548,11 @@ TEST_F(IsolationInfoTest, Serialization) {
       // Request type kMainframe
       IsolationInfo::Create(IsolationInfo::RequestType::kMainFrame, kOrigin1,
                             kOrigin1, SiteForCookies::FromOrigin(kOrigin1)),
+      // Non-general NetworkIsolationPartition
+      IsolationInfo::Create(
+          IsolationInfo::RequestType::kMainFrame, kOrigin1, kOrigin1,
+          SiteForCookies::FromOrigin(kOrigin1), /*nonce=*/std::nullopt,
+          NetworkIsolationPartition::kProtectedAudienceSellerWorklet),
   };
   for (const auto& info : kPositiveTestCases) {
     auto rt = IsolationInfo::Deserialize(info.Serialize());
@@ -512,6 +577,44 @@ TEST_F(IsolationInfoTest, Serialization) {
   }
 }
 
+TEST_F(IsolationInfoTest,
+       DeserializationAcceptsValidNetworkIsolationPartitionOnly) {
+  proto::IsolationInfo info;
+  info.set_request_type(0);
+  info.set_top_frame_origin(kOrigin1.Serialize());
+  info.set_frame_origin(kOrigin2.Serialize());
+
+  // We can deserialize a missing NetworkIsolationPartition.
+  auto deserialized = IsolationInfo::Deserialize(info.SerializeAsString());
+  ASSERT_TRUE(deserialized);
+  EXPECT_EQ(deserialized->GetNetworkIsolationPartition(),
+            NetworkIsolationPartition::kGeneral);
+
+  // We can deserialize the max value of NetworkIsolationPartition.
+  info.set_network_isolation_partition(
+      static_cast<int32_t>(NetworkIsolationPartition::kMaxValue));
+  deserialized = IsolationInfo::Deserialize(info.SerializeAsString());
+  ASSERT_TRUE(deserialized);
+  EXPECT_EQ(deserialized->GetNetworkIsolationPartition(),
+            NetworkIsolationPartition::kMaxValue);
+
+  // We can deserialize the min value of NetworkIsolationPartition.
+  info.set_network_isolation_partition(0);
+  deserialized = IsolationInfo::Deserialize(info.SerializeAsString());
+  ASSERT_TRUE(deserialized);
+  EXPECT_EQ(deserialized->GetNetworkIsolationPartition(),
+            NetworkIsolationPartition::kGeneral);
+
+  // We can't deserialize a negative value.
+  info.set_network_isolation_partition(-1);
+  EXPECT_FALSE(IsolationInfo::Deserialize(info.SerializeAsString()));
+
+  // We can't deserialize a too large value.
+  info.set_network_isolation_partition(
+      static_cast<int32_t>(NetworkIsolationPartition::kMaxValue) + 1);
+  EXPECT_FALSE(IsolationInfo::Deserialize(info.SerializeAsString()));
+}
+
 }  // namespace
 
 }  // namespace net

services/network/public/cpp/isolation_info_mojom_traits.cc

@@ -6,6 +6,7 @@
 
 #include "base/notreached.h"
 #include "base/unguessable_token.h"
+#include "net/base/network_isolation_partition.h"
 #include "services/network/public/cpp/cookie_manager_shared_mojom_traits.h"
 #include "services/network/public/cpp/crash_keys.h"
 
@@ -52,6 +53,7 @@ bool StructTraits<network::mojom::IsolationInfoDataView, net::IsolationInfo>::
   std::optional<base::UnguessableToken> nonce;
   net::SiteForCookies site_for_cookies;
   net::IsolationInfo::RequestType request_type;
+  net::NetworkIsolationPartition network_isolation_partition;
 
   if (!data.ReadTopFrameOrigin(&top_frame_origin)) {
     network::debug::SetDeserializationCrashKeyString("isolation_top_origin");
@@ -62,14 +64,15 @@ bool StructTraits<network::mojom::IsolationInfoDataView, net::IsolationInfo>::
     return false;
   }
   if (!data.ReadNonce(&nonce) || !data.ReadSiteForCookies(&site_for_cookies) ||
-      !data.ReadRequestType(&request_type)) {
+      !data.ReadRequestType(&request_type) ||
+      !data.ReadNetworkIsolationPartition(&network_isolation_partition)) {
     return false;
   }
 
   std::optional<net::IsolationInfo> isolation_info =
-      net::IsolationInfo::CreateIfConsistent(request_type, top_frame_origin,
+      net::IsolationInfo::CreateIfConsistent(
-                                             frame_origin, site_for_cookies,
+          request_type, top_frame_origin, frame_origin, site_for_cookies, nonce,
-                                             nonce);
+          network_isolation_partition);
   if (!isolation_info) {
     network::debug::SetDeserializationCrashKeyString("isolation_inconsistent");
     return false;

services/network/public/cpp/isolation_info_mojom_traits.h

@@ -12,7 +12,9 @@
 #include "mojo/public/cpp/bindings/struct_traits.h"
 #include "net/base/features.h"
 #include "net/base/isolation_info.h"
+#include "net/base/network_isolation_partition.h"
 #include "net/cookies/site_for_cookies.h"
+#include "services/network/public/cpp/network_isolation_partition_mojom_traits.h"
 #include "services/network/public/cpp/schemeful_site_mojom_traits.h"
 #include "services/network/public/mojom/isolation_info.mojom-shared.h"
 #include "url/mojom/origin_mojom_traits.h"
@@ -50,7 +52,12 @@ struct COMPONENT_EXPORT(NETWORK_CPP_BASE)
 
   static const std::optional<base::UnguessableToken>& nonce(
       const net::IsolationInfo& input) {
-    return input.nonce_;
+    return input.nonce();
+  }
+
+  static net::NetworkIsolationPartition network_isolation_partition(
+      const net::IsolationInfo& input) {
+    return input.GetNetworkIsolationPartition();
   }
 
   static const net::SiteForCookies& site_for_cookies(

services/network/public/cpp/isolation_info_mojom_traits_unittest.cc

@@ -10,6 +10,7 @@
 #include "base/unguessable_token.h"
 #include "mojo/public/cpp/test_support/test_utils.h"
 #include "net/base/isolation_info.h"
+#include "net/base/network_isolation_partition.h"
 #include "net/cookies/site_for_cookies.h"
 #include "services/network/public/mojom/isolation_info.mojom.h"
 #include "testing/gtest/include/gtest/gtest.h"
@@ -61,6 +62,16 @@ TEST(IsolationInfoMojomTraitsTest, SerializeAndDeserialize) {
       net::IsolationInfo::Create(net::IsolationInfo::RequestType::kOther,
                                  url::Origin(), url::Origin(),
                                  net::SiteForCookies(), nonce),
+      net::IsolationInfo::Create(net::IsolationInfo::RequestType::kOther,
+                                 url::Origin(), url::Origin(),
+                                 net::SiteForCookies(), /*nonce=*/std::nullopt,
+                                 /*network_isolation_partition=*/
+                                 net::NetworkIsolationPartition::kGeneral),
+      net::IsolationInfo::Create(
+          net::IsolationInfo::RequestType::kOther, url::Origin(), url::Origin(),
+          net::SiteForCookies(), /*nonce=*/std::nullopt,
+          /*network_isolation_partition=*/
+          net::NetworkIsolationPartition::kProtectedAudienceSellerWorklet),
   };
 
   for (auto original : keys) {

services/network/public/mojom/isolation_info.mojom

@@ -5,6 +5,7 @@
 module network.mojom;
 
 import "mojo/public/mojom/base/unguessable_token.mojom";
+import "services/network/public/mojom/network_isolation_partition.mojom";
 import "services/network/public/mojom/site_for_cookies.mojom";
 import "services/network/public/mojom/schemeful_site.mojom";
 import "url/mojom/origin.mojom";
@@ -26,4 +27,5 @@ struct IsolationInfo {
   url.mojom.Origin? frame_origin;
   mojo_base.mojom.UnguessableToken? nonce;
   SiteForCookies site_for_cookies;
+  NetworkIsolationPartition network_isolation_partition;
 };

third_party/blink/common/storage_key/storage_key.cc

@@ -10,11 +10,13 @@
 #include <string>
 #include <string_view>
 
+#include "base/check.h"
 #include "base/feature_list.h"
 #include "base/strings/strcat.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/types/optional_util.h"
 #include "net/base/features.h"
+#include "net/base/network_isolation_partition.h"
 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 #include "third_party/abseil-cpp/absl/strings/ascii.h"
 #include "url/gurl.h"
@@ -537,6 +539,10 @@ StorageKey StorageKey::Create(const url::Origin& origin,
 StorageKey StorageKey::CreateFromOriginAndIsolationInfo(
     const url::Origin& origin,
     const net::IsolationInfo& isolation_info) {
+  // Support for creating a StorageKey from IsolationInfos with special
+  // NetworkIsolationPartition is not implemented.
+  CHECK_EQ(isolation_info.GetNetworkIsolationPartition(),
+           net::NetworkIsolationPartition::kGeneral);
   if (isolation_info.nonce()) {
     // If the nonce is set we can use the simpler construction path.
     return CreateWithNonce(origin, *isolation_info.nonce());