Fix race that can cause UAF in SafeBrowsingNetworkContext::SharedURLLoaderFactory::InternalState.

The problem was the constructor was posting a task to a different thread, which could execute before the constructor returns and a reference is held.

This was seen in
https://logs.chromium.org/v/?s=chromium%2Fbb%2Fchromium.memory%2FLinux_ASan_LSan_Tests__1_%2F44439%2F%2B%2Frecipes%2Fsteps%2Fbrowser_tests%2F0%2Flogs%2FMSE_ExternalClearKey__x2f_EncryptedMediaTest.Playback_VP9Video_WebM_Subsample__x2f_0%2F0

Bug: 825242
Change-Id: Ib851536adc57bfab14748e1f7324b143aff55033
Reviewed-on: https://chromium-review.googlesource.com/992876Reviewed-by: Ken Rockot <rockot@chromium.org>
Commit-Queue: John Abd-El-Malek <jam@chromium.org>
Cr-Commit-Position: refs/heads/master@{#547758}

components/safe_browsing/browser/safe_browsing_network_context.cc

@@ -33,8 +33,9 @@ class SafeBrowsingNetworkContext::SharedURLLoaderFactory
   network::mojom::NetworkContext* GetNetworkContext() {
     DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::UI));
     if (!network_context_) {
-      internal_state_ = base::MakeRefCounted<InternalState>(
-          request_context_getter_, MakeRequest(&network_context_));
+      internal_state_ = base::MakeRefCounted<InternalState>();
+      internal_state_->Initialize(request_context_getter_,
+                                  MakeRequest(&network_context_));
     }
     return network_context_.get();
   }
@@ -74,7 +75,9 @@ class SafeBrowsingNetworkContext::SharedURLLoaderFactory
   // This class holds on to the network::NetworkContext object on the IO thread.
   class InternalState : public base::RefCountedThreadSafe<InternalState> {
    public:
-    InternalState(
+    InternalState() = default;
+
+    void Initialize(
         scoped_refptr<net::URLRequestContextGetter> request_context_getter,
         network::mojom::NetworkContextRequest network_context_request) {
       content::BrowserThread::PostTask(