While working on https://codereview.chromium.org/2332263002/ which changes the check for valid origin headers in content/browser/loader/resource_dispatcher_host_impl.cc from using committable URLs to specific origin-header-allowable URLs, it was pointed out that this allows URLs with schemes such as chrome: or view-source: to be in the Origin header. It doesn't feel right that these URLs should be sent out to the web generally. We should track down whether we can ban them in the origin header outright, and if so, update the new ChildProcessSecurityPolicyImpl::CanSetAsOriginHeader() method to do a check for those.