What pieces differ? Is there disagreement only for embedder-specific things like `chrome-extension`, or is the divergence deeper?

Example differences I was affected by (there might be more):

- The file scheme is considered secure by content/; not by Blink.
- The about and data schemes are considered secure by Blink; not by content/.
- The blob scheme is considered secure by Blink if its internal URL is considered secure by SchemeRegistry::shouldTreatURLSchemeAsSecure. content/ never considers them secure.

Browser side test to run with content_unittests:

TEST(SecureOriginConceptsBrowserSideTest, SecureOriginDifferences) {
  const GURL fileGurl("file://a/b/c.txt");
  EXPECT_TRUE(IsOriginSecure(fileGurl));
  const GURL aboutGurl("about://whatever");
  const GURL dataGurl("data:text/html;charset=utf-8;base64,PCFET0...C9odG1sPg==");
  EXPECT_FALSE(IsOriginSecure(aboutGurl));
  EXPECT_FALSE(IsOriginSecure(dataGurl));
  const GURL blobGurl("blob:https://example.com");
  EXPECT_FALSE(IsOriginSecure(blobGurl));
}


Blink side test to run with webkit_unit_tests:

TEST(MixedContentCheckerTest, SecureOriginDifferences) {
  const KURL fileKurl(KURL(), "file://a/b/c.txt");
  EXPECT_FALSE(SecurityOrigin::isSecure(fileKurl));
  const KURL aboutKurl(KURL(), "about://whatever");
  const KURL dataKurl(KURL(), "data:text/html;charset=utf-8;base64,PCFET0...C9odG1sPg==");
  EXPECT_TRUE(SecurityOrigin::isSecure(aboutKurl));
  EXPECT_TRUE(SecurityOrigin::isSecure(dataKurl));
  const KURL blobKurl(KURL(), "blob:https://example.com");
  EXPECT_TRUE(SecurityOrigin::isSecure(blobKurl));
}

These tests pass asserting the difference.

+palmer, who will have opinions.

I agree that we should try to align these, though this is more of an issue of naming than anything else. That is, `IsOriginSecure` is more or less the same as `SecurityOrigin::IsPotentiallyTrustworthy`, which does consider `file` secure, and `data`/`about` non-secure.

`blob:`, on the other hand, is just a bug.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b904e99561e159a2f801b311fb33f980d2a7caa2

commit b904e99561e159a2f801b311fb33f980d2a7caa2
Author: Daniel Bratell <bratell@opera.com>
Date: Fri Oct 27 14:16:28 2017

Removed IsOriginSecure clone and removed "using namespace"

Importing namespaces with "using namespace" can have surprising
results (which is why the coding standard disallows them).

This patch's main motivation is to remove a "using namespace content"
which made indexed_db code unable to distinguish between ::indexed_db 
and ::content::indexed_db in jumbo builds, but in the process it
was realized that the local IsOriginSecure was only partly used
and also seemed to be close enough to content::IsOriginSecure that
one of them should suffice.

There were two IsOriginSecure(). One in {anon ns}::IsOriginSecure() and
one in content::IsOriginSecure(). In mixed_content_navigation_throttle.cc
there are two calls to unqualified "IsOriginSecure()". One was 
supposed to resolve to {anon ns}::IsOriginSecure() and
the other one to content::IsOriginSecure().

After this patch both calls will go to content::IsOriginSecure().

Bug: 629059, 746953
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_site_isolation
Change-Id: Id572c05707545e6303f63f2c4a18acf7fda2a4c4
Reviewed-on: https://chromium-review.googlesource.com/738175
Reviewed-by: Camille Lamy <clamy@chromium.org>
Commit-Queue: Daniel Bratell <bratell@opera.com>
Cr-Commit-Position: refs/heads/master@{#512174}
[modify] https://crrev.com/b904e99561e159a2f801b311fb33f980d2a7caa2/content/browser/frame_host/mixed_content_navigation_throttle.cc