Stop relying on disabled web security in CORB tests.

This CL:

1. Transitions core CORB test coverage away from the fetch API (where
   blocking by OOR-CORS can interfere with test results) to triggering
   fetches via <img> tags (where CORB stays applicable even after
   OOR-CORS ships).

   Tests covering CORS/CORB intersection continue to be done via fetch
   API (in CrossSiteDocumentBlockingTest.BlockFetches test).

   Verification of response body no longer depends on disabled web
   security (and inspecting fetch API results), but is instead done
   via RequestInterceptor helper that lives next to the tests.
   The CL also uncovered and fixes a threading issue in the
   implementation of RequestInterceptor.

2. Stops testing range requests in content_browsertests and starts to
   rely on existing and new test coverage in content_unittests (fetch
   API seems to be the only directly-test-controllable way of making
   range requests).

I've tested this CL by manually running CrossSiteDocumentBlockingTest
from content_browsertests 1) in default mode, 2) with NetworkService
enabled and 3) with NetworkService and OutOfBlinkCORS enabled.

Bug: 870173
Cq-Include-Trybots: luci.chromium.try:linux_mojo
Change-Id: Iec5c9f0e7ddad0ff02627b88dcfab276795e7be9
Reviewed-on: https://chromium-review.googlesource.com/c/1279351Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org>
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Cr-Commit-Position: refs/heads/master@{#601174}

content/browser/loader/cross_site_document_resource_handler_unittest.cc

@@ -1056,6 +1056,38 @@ const TestScenario kScenarios[] = {
         Verdict::kBlock,                            // verdict
         0,                                          // verdict_packet
     },
+    {
+        "Allowed: Javascript 206",
+        __LINE__,
+        "http://www.b.com/script.js",           // target_url
+        RESOURCE_TYPE_SCRIPT,                   // resource_type
+        "http://www.a.com/",                    // initiator_origin
+        OriginHeader::kOmit,                    // cors_request
+        "application/javascript",               // response_content_type
+        MimeType::kOthers,                      // canonical_mime_type
+        false,                                  // include_no_sniff_header
+        true,                                   // simulate_range_response
+        AccessControlAllowOriginHeader::kOmit,  // cors_response
+        {"x = 1;"},                             // packets
+        Verdict::kAllow,                        // verdict
+        -1,                                     // verdict_packet
+    },
+    {
+        "Allowed: text/html 206 media with CORS",
+        __LINE__,
+        "http://www.b.com/movie.html",  // target_url
+        RESOURCE_TYPE_MEDIA,            // resource_type
+        "http://www.a.com/",            // initiator_origin
+        OriginHeader::kInclude,         // cors_request
+        "text/html",                    // response_content_type
+        MimeType::kInvalidMimeType,     // canonical_mime_type
+        false,                          // include_no_sniff_header
+        true,                           // simulate_range_response
+        AccessControlAllowOriginHeader::kAllowInitiatorOrigin,  // cors_response
+        {"simulated *middle*-of-html content"},                 // packets
+        Verdict::kAllow,                                        // verdict
+        -1,  // verdict_packet
+    },
     {
         "Allowed: text/plain 206 media",
         __LINE__,