In the parent bug, I've added support for chrome:// scheme when the network service is used.

Tom: can you please provide a security review for this? Thanks.

Implementation notes:
-this depends on network service, PlzNavigate, and mojo for loading. once the latter 2 ship, we can use this code path as well for production (i.e. before network service ships)
-there's a way to create a mojom::URLLoaderFactory for chrome:// urls. this is in content/browser/webui/web_ui_url_loader_factory.cc
-for frame requests, the webui URLLoaderFactory is hooked in NavigationURLLoaderNetworkService::StartURLRequest( for webui scheme
-RenderFrameHostImpl::CommitNavigation also replaces the URLLoaderFactory for the frame's subresources


Security notes:
-if a non-webui page has a webui scheme, then this is blocked as before because the ChildProcessSecurityPolicy checks are done in the browser by the plznavigate code before we get to NavigationURLLoaderNetworkService
-a redirect from a non-webui scheme to a webui scheme will fail, since the redirects happen in the network service which doesn't know about webui scheme
-we only send the factory to the renderer for subresources if the renderer committed a webui URL, which means the renderer is already trusted


I _think_ things are ok so far security-wise, but I defer to you Tom for security review.