Restrict transmission of external exp ids to signed in users.
Since external experiment ids are not based on Chrome's low
entropy source, they do not have the same guarantees about
not identifying a user as Chrome's variations. As such, we
should only transmit them for signed in users, whose identity
is already known by Google so there's no risk of identifying
them through these headers.
Note: The signed-in state checking in this CL is only done for
web content area requests and not other internal requests,
like to the suggestion service, where it treats the state as
"not signed in". This is fine to do because variations service
ids are still sent, which is what the other call sites are
interested in.
BUG=672532
TBR=mpearson@chromium.org,mattm@chromium.org,donnd@chromium.org,afakhry@chromium.org
Review-Url: https://codereview.chromium.org/2558913003
Cr-Commit-Position: refs/heads/master@{#437959}
17 files changed
