Block the "res" external protocol.

This prevents launching JavaScript in unprivileged mode via Internet
Explorer.

Bug: 959438
Change-Id: Ib359be8de82458b4e4276337123245ef5a2118e9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1607131Reviewed-by: Ben Wells <benwells@chromium.org>
Commit-Queue: Alex Moshchuk <alexmos@chromium.org>
Cr-Commit-Position: refs/heads/master@{#659396}

chrome/browser/external_protocol/external_protocol_handler.cc

@@ -39,7 +39,7 @@ constexpr const char* kDeniedSchemes[] = {
     // execute the file specified!  Hopefully we won't see any "file" schemes
     // because we think of file:// URLs as handled URLs, but better to be safe
     // than to let an attacker format the user's hard drive.
-    "file", "hcp", "javascript", "ms-help", "nntp", "shell", "vbscript",
+    "file", "hcp", "javascript", "ms-help", "nntp", "res", "shell", "vbscript",
     // view-source is a special case in chrome. When it comes through an
     // iframe or a redirect, it looks like an external protocol, but we don't
     // want to shellexecute it.

chrome/browser/external_protocol/external_protocol_handler_unittest.cc

@@ -267,6 +267,8 @@ TEST_F(ExternalProtocolHandlerTest, TestGetBlockStateDefaultBlock) {
   ExternalProtocolHandler::BlockState block_state =
       ExternalProtocolHandler::GetBlockState("afp", profile_.get());
   EXPECT_EQ(ExternalProtocolHandler::BLOCK, block_state);
+  block_state = ExternalProtocolHandler::GetBlockState("res", profile_.get());
+  EXPECT_EQ(ExternalProtocolHandler::BLOCK, block_state);
   EXPECT_TRUE(
       profile_->GetPrefs()->GetDictionary(prefs::kExcludedSchemes)->empty());
 }