Add a security note for GetURLLoaderFactoryForBrowserProcess method.

The new security note explains security-related caveats related to using
the GetURLLoaderFactoryForBrowserProcess method.  The note suggests
using RenderFrameHost::CreateNetworkServiceDefaultFactory instead (the
latter factory should enforce setting a non-base::nullopt
network::ResourceRequest::request_initiator - see the
InitiatorLockCompatibility::kNoInitiator case in
CorsURLLoaderFactory::IsValidRequest).

Bug: 1128008
Change-Id: I3d30736f5804b97a45e246106463ee6a40e747a2
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2410820
Auto-Submit: Łukasz Anforowicz <lukasza@chromium.org>
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Reviewed-by: Matt Menke <mmenke@chromium.org>
Commit-Queue: Matt Menke <mmenke@chromium.org>
Cr-Commit-Position: refs/heads/master@{#807781}

content/public/browser/storage_partition.h

@@ -97,6 +97,12 @@ class CONTENT_EXPORT StoragePartition {
   // use after StoragePartition has gone.
   // The returned SharedURLLoaderFactory can be held on and will work across
   // network process restarts.
+  //
+  // SECURITY NOTE: This browser-process factory relaxes many security features
+  // (e.g. may disable CORB, won't set |request_initiator_origin_lock| or
+  // IsolationInfo, etc.).  Network requests that may be initiated or influenced
+  // by a web origin should typically use a different factory (e.g.  the one
+  // from RenderFrameHost::CreateNetworkServiceDefaultFactory).
   virtual scoped_refptr<network::SharedURLLoaderFactory>
   GetURLLoaderFactoryForBrowserProcess() = 0;
   virtual scoped_refptr<network::SharedURLLoaderFactory>