Follow up on stopping setting CORS flag for data URLs

 - Replace |url.ProtocolIsData() || origin->CanRequest(url)|
   with |origin->CanReadContent(url)|.
 - Remove cross-origin settings for data URLs in workers as data URLs
   are now considered as same-origin.

This is a follow up for [1].

1: https://chromium-review.googlesource.com/c/chromium/src/+/1160126

Bug: 870173
Change-Id: Ie95e82c57882e4ce7d52e8ab0607c81e4b18c171
Reviewed-on: https://chromium-review.googlesource.com/1177472
Commit-Queue: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org>
Cr-Commit-Position: refs/heads/master@{#587955}

third_party/blink/renderer/core/execution_context/execution_context.cc

@@ -116,9 +116,7 @@ bool ExecutionContext::ShouldSanitizeScriptError(
   if (cors_status == kOpaqueResource)
     return true;
   const KURL& url = CompleteURL(source_url);
-  if (url.ProtocolIsData())
-    return false;
-  return !(GetSecurityOrigin()->CanRequest(url) ||
+  return !(GetSecurityOrigin()->CanReadContent(url) ||
            cors_status == kSharableCrossOrigin);
 }
 

third_party/blink/renderer/core/exported/web_shared_worker_impl.cc

@@ -128,10 +128,6 @@ void WebSharedWorkerImpl::OnShadowPageInitialized() {
       network::mojom::FetchRequestMode::kSameOrigin;
   network::mojom::FetchCredentialsMode fetch_credentials_mode =
       network::mojom::FetchCredentialsMode::kSameOrigin;
-  if ((static_cast<KURL>(script_request_url_)).ProtocolIsData()) {
-    fetch_request_mode = network::mojom::FetchRequestMode::kNoCORS;
-    fetch_credentials_mode = network::mojom::FetchCredentialsMode::kInclude;
-  }
 
   main_script_loader_->LoadTopLevelScriptAsynchronously(
       *shadow_page_->GetDocument(), script_request_url_,

third_party/blink/renderer/core/workers/abstract_worker.cc

@@ -57,8 +57,7 @@ KURL AbstractWorker::ResolveURL(ExecutionContext* execution_context,
   // We can safely expose the URL in the following exceptions, as these checks
   // happen synchronously before redirection. JavaScript receives no new
   // information.
-  if (!script_url.ProtocolIsData() &&
-      !execution_context->GetSecurityOrigin()->CanRequest(script_url)) {
+  if (!execution_context->GetSecurityOrigin()->CanReadContent(script_url)) {
     exception_state.ThrowSecurityError(
         "Script at '" + script_url.ElidedString() +
         "' cannot be accessed from origin '" +

third_party/blink/renderer/core/workers/dedicated_worker.cc

@@ -172,10 +172,6 @@ void DedicatedWorker::Start() {
         network::mojom::FetchRequestMode::kSameOrigin;
     network::mojom::FetchCredentialsMode fetch_credentials_mode =
         network::mojom::FetchCredentialsMode::kSameOrigin;
-    if (script_request_url_.ProtocolIsData()) {
-      fetch_request_mode = network::mojom::FetchRequestMode::kNoCORS;
-      fetch_credentials_mode = network::mojom::FetchCredentialsMode::kInclude;
-    }
     classic_script_loader_ = WorkerClassicScriptLoader::Create();
     classic_script_loader_->LoadTopLevelScriptAsynchronously(
         *GetExecutionContext(), script_request_url_,

third_party/blink/renderer/platform/loader/cors/cors.cc

@@ -270,11 +270,7 @@ bool CalculateCORSFlag(const KURL& url,
   // CORS needs a proper origin (including a unique opaque origin). If the
   // request doesn't have one, CORS should not work.
   DCHECK(origin);
-
-  if (url.ProtocolIsData())
-    return false;
-
-  return !origin->CanRequest(url);
+  return !origin->CanReadContent(url);
 }
 
 }  // namespace CORS