Use network::IsOriginPotentiallyTrustworthy in Insecure Input Tab Helper

This change replaces network::IsUrlPotentiallyTrustworthy with
network::IsOriginPotentiallyTrustworthy in the Insecure Input Tab
Helper. The difference is that "potentially trustworthy origin" does
not include "data:" and "about:" schemes [1].

[1] https://w3c.github.io/webappsec-secure-contexts/#potentially-trustworthy-url

Bug: 1119740, 1153336
Change-Id: Ib817eee3a8460b1f99669b6dc77c92f0e7ed2743
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2580067
Commit-Queue: Frédéric Wang <fwang@igalia.com>
Reviewed-by: Emily Stark <estark@chromium.org>
Cr-Commit-Position: refs/heads/master@{#835574}

components/security_state/ios/insecure_input_tab_helper.h

@@ -45,6 +45,8 @@ class InsecureInputTabHelper
                            web::NavigationContext* navigation_context) override;
   void WebStateDestroyed(web::WebState* web_state) override;
 
+  bool IsInsecureContext();
+
   // The WebState this instance is observing. Will be null after
   // WebStateDestroyed has been called.
   web::WebState* web_state_ = nullptr;

components/security_state/ios/insecure_input_tab_helper.mm

@@ -18,6 +18,7 @@
 #import "ios/web/public/web_state.h"
 #import "ios/web/public/web_state_user_data.h"
 #include "services/network/public/cpp/is_potentially_trustworthy.h"
+#include "url/origin.h"
 
 #if !defined(__has_feature) || !__has_feature(objc_arc)
 #error "This file requires ARC support."
@@ -64,9 +65,16 @@ InsecureInputTabHelper* InsecureInputTabHelper::GetOrCreateForWebState(
   return helper;
 }
 
+bool InsecureInputTabHelper::IsInsecureContext() {
+  // We don't want to mark data URLs as secure, so we check the origin rather
+  // than calling network::IsUrlPotentiallyTrustworthy.
+  // See https://w3c.github.io/webappsec-secure-contexts/#is-url-trustworthy
+  return !network::IsOriginPotentiallyTrustworthy(
+      url::Origin::Create(web_state_->GetLastCommittedURL()));
+}
+
 void InsecureInputTabHelper::DidEditFieldInInsecureContext() {
-  DCHECK(
-      !network::IsUrlPotentiallyTrustworthy(web_state_->GetLastCommittedURL()));
+  DCHECK(IsInsecureContext());
 
   security_state::SSLStatusInputEventData* input_events =
       GetOrCreateSSLStatusInputEventData(web_state_);
@@ -93,8 +101,7 @@ void InsecureInputTabHelper::FormActivityRegistered(
     web::WebFrame* sender_frame,
     const autofill::FormActivityParams& params) {
   DCHECK_EQ(web_state_, web_state);
-  if (params.type == "input" &&
-      !network::IsUrlPotentiallyTrustworthy(web_state->GetLastCommittedURL())) {
+  if (params.type == "input" && IsInsecureContext()) {
     DidEditFieldInInsecureContext();
   }
 }
@@ -105,8 +112,7 @@ void InsecureInputTabHelper::DidFinishNavigation(
   DCHECK_EQ(web_state_, web_state);
   // Check if the navigation should clear insecure input event data (i.e., not a
   // same-document navigation).
-  if (!network::IsUrlPotentiallyTrustworthy(web_state->GetLastCommittedURL()) &&
-      navigation_context->HasCommitted() &&
+  if (IsInsecureContext() && navigation_context->HasCommitted() &&
       !navigation_context->IsSameDocument()) {
     security_state::SSLStatusInputEventData* input_events =
         GetOrCreateSSLStatusInputEventData(web_state_);