Currently it's listed in kSecureSchemes in url_util.cc. However, about:blank pages can be opened by any origin, and do not define a secure context. We should consider removing it from the list.

This is currently causing problems with HTTP Bad implementation which displays a "not secure" chip for forms on insecure pages.

Also see bug 684231 (Remove data urls from secure origins).