CORB should block event-stream, gzip and x-www-form-urlencoded.

This CL adds CORB coverage for:

1) text/event-stream, application/x-www-form-urlencoded, based on the
code review discussion in a previous CL here:
https://chromium-review.googlesource.com/c/chromium/src/+/1604244/4/services/network/cross_origin_read_blocking.cc#227

2) application/gzip, which wasn't mentioned explicitly in the CR
discussion above, but which is ranked #212 in the spreadsheet
mentioned in https://github.com/whatwg/fetch/issues/860#issuecomment-457330454
and therefore probably should have been included in r659671 together
with x-gzip (ranked #54) and zip (ranked #71).

Bug: 802836
Change-Id: I8c10f900110a2cb471437a19425bfd5e38aed2fe
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1628809Reviewed-by: Charlie Reis <creis@chromium.org>
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Cr-Commit-Position: refs/heads/master@{#663824}

services/network/cross_origin_read_blocking.cc

@@ -220,9 +220,12 @@ base::flat_set<std::string>& GetNeverSniffedMimeTypes() {
       //
       // TODO(lukasza): https://crbug.com/802836#c11: Add
       // application/signed-exchange.
+      "application/gzip",
       "application/x-gzip",
       "application/x-protobuf",
+      "application/x-www-form-urlencoded",
       "application/zip",
+      "text/event-stream",
   });
 
   // All items need to be lower-case, to support case-insensitive comparisons

services/network/cross_origin_read_blocking_unittest.cc

@@ -275,9 +275,12 @@ TEST(CrossOriginReadBlockingTest, GetCanonicalMimeType) {
       {"application/xml+blah", MimeType::kOthers},
 
       // Types protected without sniffing.
+      {"application/gzip", MimeType::kNeverSniffed},
       {"application/x-protobuf", MimeType::kNeverSniffed},
       {"application/x-gzip", MimeType::kNeverSniffed},
+      {"application/x-www-form-urlencoded", MimeType::kNeverSniffed},
       {"application/zip", MimeType::kNeverSniffed},
+      {"text/event-stream", MimeType::kNeverSniffed},
       // TODO(lukasza): https://crbug.com/944162: Add application/pdf and
       // text/csv to the list of content types tested here (after
       // kMimeHandlerViewInCrossProcessFrame gets enabled by default).

third_party/blink/web_tests/external/wpt/fetch/corb/script-resource-with-nonsniffable-types.tentative.sub.html

@@ -53,9 +53,12 @@ function test(mime_type, is_blocking_expected) {
 // Some mime types should be protected by CORB without any kind
 // of confirmation sniffing.
 protected_mime_types = [
+  "application/gzip",
   "application/x-gzip",
   "application/x-protobuf",
+  "application/x-www-form-urlencoded",
   "application/zip",
+  "text/event-stream",
   // TODO(lukasza): https://crbug.com/944162: Add application/pdf and
   // text/csv to the list of content types tested here (after
   // kMimeHandlerViewInCrossProcessFrame gets enabled by default).