Avoid crash in ContentSettingsObserver::GetOriginOrURL with top remote frames.

The intent of the fallback to top()->document().url() in
GetOriginOrURL() is to support file path matching for content setting
exceptions in pages loaded from a file: scheme.  This fallback can
cause crashes in OOPIF modes when the top frame is remote, even in
cases that have nothing to do with file: exceptions, such as a
sandboxed main frame (which has a "null" origin) embedding an
OOPIF.

Longer-term, local and remote frames should be treated the same way
for content settings exceptions for the file: scheme; and content
settings will be refactored to be based on origins rather than GURLs
in issue 621724.  In the short term though, avoid the crash by falling
back to document->url() only for local top frames.  This shouldn't
actually affect file exceptions, as --isolate-extensions, which is the
only OOPIF mode currently enabled by default on trunk, won't put
subframes inside file: pages into a separate process.

BUG=628759, 466297

Review-Url: https://codereview.chromium.org/2354083002
Cr-Commit-Position: refs/heads/master@{#419899}

chrome/renderer/content_settings_observer.cc

@@ -49,8 +49,8 @@ GURL GetOriginOrURL(const WebFrame* frame) {
   // document URL as the primary URL in those cases.
   // TODO(alexmos): This is broken for --site-per-process, since top() can be a
   // WebRemoteFrame which does not have a document(), and the WebRemoteFrame's
-  // URL is not replicated.
-  if (top_origin == "null")
+  // URL is not replicated.  See https://crbug.com/628759.
+  if (top_origin == "null" && frame->top()->isWebLocalFrame())
     return frame->top()->document().url();
   return blink::WebStringToGURL(top_origin);
 }