Add https check to DeviceWebBasedAttestationAllowedUrls policy

Only HTTPS URLs should be allowed to receive VA challenge response.

Bug: 1000589
Test: SAMLDeviceAttestationTest.*
Change-Id: I11b692f1124a1a9f7c0c1b4db2faf6df23d28039
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1940183Reviewed-by: Roman Sorokin [CET] <rsorokin@chromium.org>
Commit-Queue: Michael Ershov <miersh@google.com>
Cr-Commit-Position: refs/heads/master@{#720035}

chrome/browser/ui/webui/chromeos/login/saml_challenge_key_handler.cc

@@ -39,6 +39,10 @@ bool IsDeviceWebBasedAttestationEnabledForUrl(const GURL& url,
     return false;
   }
 
+  if (!url.SchemeIs(url::kHttpsScheme)) {
+    return false;
+  }
+
   if (patterns->GetSize() >= kPatternsSizeWarningLevel) {
     LOG(WARNING) << "Allowed urls list size is " << patterns->GetSize()
                  << ". Check may be slow.";

components/policy/resources/policy_templates.json

@@ -18909,7 +18909,9 @@
 
       Specifically, if a URL matches one of the patterns provided through this policy, it will be allowed to receive a HTTP header containing a response to a remote attestation challenge, attesting device identity and device state.
 
-      If this policy is not set or is set to an empty list, no URL is allowed to use remote attestation on the sign-in screen.'''
+      If this policy is not set or is set to an empty list, no URL is allowed to use remote attestation on the sign-in screen.
+
+      URLs must have HTTPS scheme, e.g. "https://example.com".'''
     },
     {
       'name': 'DeviceShowNumericKeyboardForPassword',