Limit about: URLs that are treated as potentially trustworthy

Per [1], only about:blank and about:srcdoc URLs should be treated as
potentially trustworthy, but Chromium currently accepts all about: URLs.
This CL aligns with the current spec, with the additional assumption
that query and fragment components are accepted too [2]. This change is
not web-visible.

[1] https://w3c.github.io/webappsec-secure-contexts/#potentially-trustworthy-url
[2] https://github.com/w3c/webappsec-secure-contexts/issues/81

Bug: 1153335, 1153336
Change-Id: I907d90596b4895a3d3b6efbfd535b2efe9e9cc8b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2563492
Commit-Queue: Frédéric Wang <fwang@igalia.com>
Reviewed-by: Matt Falkenhagen <falken@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#833066}

services/network/public/cpp/is_potentially_trustworthy.cc

@@ -269,9 +269,7 @@ bool IsUrlPotentiallyTrustworthy(const GURL& url) {
 
   // 1. If url is "about:blank" or "about:srcdoc", return "Potentially
   //    Trustworthy".
-  // TODO(https://crbug.com/1153335): This should probably instead rely on
-  // something like url.IsAboutBlank() || url.IsAboutSrcdoc().
-  if (url.SchemeIs(url::kAboutScheme))
+  if (url.IsAboutBlank() || url.IsAboutSrcdoc())
     return true;
 
   // 2. If url’s scheme is "data", return "Potentially Trustworthy".

services/network/public/cpp/is_potentially_trustworthy_unittest.cc

@@ -50,8 +50,7 @@ TEST(IsPotentiallyTrustworthy, MainTest) {
   EXPECT_TRUE(IsPotentiallyTrustworthy("about:srcdoc#ref"));
   EXPECT_TRUE(IsPotentiallyTrustworthy("about:srcdoc?x=2#ref"));
 
-  // TODO(https://crbug.com/1153335): This should return false.
-  EXPECT_TRUE(IsPotentiallyTrustworthy("about:about"));
+  EXPECT_FALSE(IsPotentiallyTrustworthy("about:about"));
 
   // TODO(https://crbug.com/1119740): Should return true for data: URLs.
   EXPECT_FALSE(IsPotentiallyTrustworthy("data:test/plain;blah"));