Ignore fetch requests with mismatched |request_initiator_site_lock|.

We still get low-volume of reports about mismatched
|request_initiator_site_lock|, but we have trouble finding their root
cause.  We hope to get more data through DwoC from the M84 Beta
(see https://crbug.com/1056949#c27).

If we fail to find the root cause in other ways, then it seems that the
best way to proceed in M85+ is to enable hard enforcement of
|request_initiator_site_lock| (i.e. reject request with a mismatch
|request_initiator| in CorsURLLoaderFactory::IsValidRequest).  This will
1) get security benefits (making it impossible to spoof
|request_initiator| and 2) might help find the root-cause for the
mismatched requests, by breaking such requests (and hopefully
encouraging bug reports with repro steps).

Bug: 920634, 1056949
Change-Id: I0c2539d10682e3c85c0f3d09763ab02646bea0d7
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2210870Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Auto-Submit: Łukasz Anforowicz <lukasza@chromium.org>
Cr-Commit-Position: refs/heads/master@{#772436}

services/network/cors/cors_url_loader_factory.cc

@@ -407,8 +407,7 @@ bool CorsURLLoaderFactory::IsValidRequest(const ResourceRequest& request,
           base::OptionalOrNullptr(request_initiator_site_lock_));
       mojo::ReportBadMessage(
           "CorsURLLoaderFactory: lock VS initiator mismatch");
-      // TODO(lukasza): https://crbug.com/920634: Return false below.
-      break;
+      return false;
   }
 
   if (context_ && !GetAllowAnyCorsExemptHeaderForBrowser() &&