CORB: Remove no-longer-needed, hacky detection of same-origin requests.

After r694827 (Set |request_initiator| to the website, not to the
content script's origin), CORB can detect all same-origin requests
directly, without resorting to a hacky comparison with the
request_initiator_site_lock.  This CL reverts parts of r620866 where
this hack was introduced.

Bug: 940068
Change-Id: I69f3e6b868436f2aaa78b594da25a3c5431ab7cb
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1823597
Commit-Queue: Charlie Reis <creis@chromium.org>
Auto-Submit: Łukasz Anforowicz <lukasza@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#700486}

services/network/cross_origin_read_blocking.cc

@@ -680,18 +680,6 @@ CrossOriginReadBlocking::ResponseAnalyzer::ShouldBlockBasedOnHeaders(
   // that are inexpensive should be near the top.
   url::Origin target_origin = url::Origin::Create(request_url);
 
-  // Check if |target_origin| seems to match the factory lock in
-  // |request_initiator_site_lock|.  If so, then treat this request as
-  // same-origin (even if |request_initiator| might be cross-origin).  See
-  // also https://crbug.com/918660.
-  // TODO(lukasza): https://crbug.com/940068: Remove this code section
-  // once request_initiator is always set to the webpage (and never to the
-  // isolated world).
-  if (VerifyRequestInitiatorLock(request_initiator_site_lock, target_origin) ==
-      InitiatorLockCompatibility::kCompatibleLock) {
-    return kAllow;
-  }
-
   // Compute the |initiator| of the request, falling back to a unique origin if
   // there was no initiator or if it was incompatible with the lock. Using a
   // unique origin makes CORB treat the response as cross-origin and thus

third_party/blink/web_tests/external/wpt/fetch/corb/img-mime-types-coverage.tentative.sub.html

@@ -53,12 +53,7 @@
 
   const get_url = (mime) => {
     // www1 is cross-origin, so the HTTP response is CORB-eligible -->
-    //
-    // TODO(lukasza@chromium.org): Once https://crbug.com/888079 and
-    // https://crbug.com/891872 are fixed, we should use a cross-*origin*
-    // rather than cross-*site* URL below (e.g. s/hosts[alt]/domains/g).
-    // See also https://crbug.com/918660 for more context.
-    url = "http://{{hosts[alt][www1]}}:{{ports[http][0]}}"
+    url = "http://{{domains[www1]}}:{{ports[http][0]}}"
     url = url + "/fetch/nosniff/resources/image.py"
     if (mime != null) {
         url += "?type=" + encodeURIComponent(mime)

third_party/blink/web_tests/external/wpt/fetch/corb/img-png-mislabeled-as-html-nosniff.tentative.sub.html

@@ -7,11 +7,5 @@
 <meta charset="utf-8">
 <!-- Reference page uses same-origin resources, which are not CORB-eligible. -->
 <link rel="match" href="img-png-mislabeled-as-html-nosniff.tentative.sub-ref.html">
-<!-- www1 is cross-origin, so the HTTP response is CORB-eligible
-
-TODO(lukasza@chromium.org): Once https://crbug.com/888079 and
-https://crbug.com/891872 are fixed, we should use a cross-*origin*
-rather than cross-*site* URL below (e.g. s/hosts[alt]/domains/g).
-See also https://crbug.com/918660 for more context.
--->
-<img src="http://{{hosts[alt][www1]}}:{{ports[http][0]}}/fetch/corb/resources/png-mislabeled-as-html-nosniff.png">
+<!-- www1 is cross-origin, so the HTTP response is CORB-eligible -->
+<img src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/png-mislabeled-as-html-nosniff.png">

third_party/blink/web_tests/external/wpt/fetch/corb/preload-image-png-mislabeled-as-html-nosniff.tentative.sub.html

@@ -17,14 +17,8 @@ async_test(function(t) {
 });
 </script>
 
-<!-- www1 is cross-origin, so the HTTP response is CORB-eligible
-
-TODO(lukasza@chromium.org): Once https://crbug.com/888079 and
-https://crbug.com/891872 are fixed, we should use a cross-*origin*
-rather than cross-*site* URL below (e.g. s/hosts[alt]/domains/g).
-See also https://crbug.com/918660 for more context.
--->
+<!-- www1 is cross-origin, so the HTTP response is CORB-eligible -->
 <link rel="preload" as="image"
       onerror="window.preloadErrorEvent()"
       onload="window.preloadLoadEvent()"
-      href="http://{{hosts[alt][www1]}}:{{ports[http][0]}}/fetch/corb/resources/png-mislabeled-as-html-nosniff.png">
+      href="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/png-mislabeled-as-html-nosniff.png">

third_party/blink/web_tests/external/wpt/fetch/corb/script-html-correctly-labeled.tentative.sub.html

@@ -24,12 +24,7 @@ async_test(function(t) {
   });
 
   // www1 is cross-origin, so the HTTP response is CORB-eligible.
-  //
-  // TODO(lukasza@chromium.org): Once https://crbug.com/888079 and
-  // https://crbug.com/891872 are fixed, we should use a cross-*origin*
-  // rather than cross-*site* URL below (e.g. s/hosts[alt]/domains/g).
-  // See also https://crbug.com/918660 for more context.
-  script.src = 'http://{{hosts[alt][www1]}}:{{ports[http][0]}}/fetch/corb/resources/html-correctly-labeled.html';
+  script.src = 'http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/html-correctly-labeled.html';
   document.body.appendChild(script)
 }, "CORB-blocked script has no syntax errors");
 </script>

third_party/blink/web_tests/external/wpt/fetch/corb/script-resource-with-json-parser-breaker.tentative.sub.html

@@ -68,12 +68,7 @@ function test(mime_type, body) {
     });
 
     // www1 is cross-origin, so the HTTP response is CORB-eligible.
-    //
-    // TODO(lukasza@chromium.org): Once https://crbug.com/888079 and
-    // https://crbug.com/891872 are fixed, we should use a cross-*origin*
-    // rather than cross-*site* URL below (e.g. s/hosts[alt]/domains/g).
-    // See also https://crbug.com/918660 for more context.
-    var src_prefix = "http://{{hosts[alt][www1]}}:{{ports[http][0]}}/fetch/corb/resources/sniffable-resource.py";
+    var src_prefix = "http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/sniffable-resource.py";
     script.src = src_prefix + "?type=" + mime_type + "&body=" + encodeURIComponent(body);
     document.body.appendChild(script)
   }, "CORB-blocks '" + mime_type + "' that starts with the following JSON parser breaker: " + body);

third_party/blink/web_tests/external/wpt/html/semantics/document-metadata/the-link-element/resources/link-style-error.js

 ["<link>", "@import"].forEach(linkType => {
   [
    ["same-origin", "resources/css.py"],
-
-   // TODO(lukasza@chromium.org): Once https://crbug.com/888079 and
-   // https://crbug.com/891872 are fixed, we should use a cross-*origin* rather
-   // than cross-*site* URL below (e.g.  s/ HTTP_NOTSAMESITE_ORIGIN /
-   // HTTP_REMOTE_ORIGIN /g).  See also https://crbug.com/918660 for more
-   // context.
-   ["cross-origin", get_host_info().HTTP_NOTSAMESITE_ORIGIN + "/html/semantics/document-metadata/the-link-element/resources/css.py"]
+   ["cross-origin", get_host_info().HTTP_REMOTE_ORIGIN + "/html/semantics/document-metadata/the-link-element/resources/css.py"]
   ].forEach(originType => {
     ["no Content-Type", "wrong Content-Type", "broken Content-Type"].forEach(contentType => {
       ["no nosniff", "nosniff"].forEach(nosniff => {