Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/f5918e1225fc91bc5c02bb1cfb447dc97578e952 (Move AllowedByNosniff to platform/loader).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This is because script element's Document's ResourceFetcher's FetchContext's SecurityOrigin becomes null after moving he script to another document created by creteDocument().
My CL caused this regression because it switches context document to element document unintentionally.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/748875b36e91d5cd25bd8d653677fb5192203c97

commit 748875b36e91d5cd25bd8d653677fb5192203c97
Author: Hiroshige Hayashizaki <hiroshige@chromium.org>
Date: Thu Dec 06 05:46:57 2018

Revert unintentional switching to element document in an AllowedByNosniff call

In classic_pending_script.cc, [1] uses
GetElement()->GetDocument().Fetcher()->Context()
which corresponds to the element document, while before [1] it was
GetElement()->GetDocument().ContextDocument()
which corresponds to the context document.

This CL reverts this change and uses the context document, and
adds a regression test derived from a clusterfuzz test case.

[1] https://chromium-review.googlesource.com/1351873

Bug:  912046 , 880027
Change-Id: I92ca9723c3fdd1c5d9c304e4e196aeb77c75ee88
Reviewed-on: https://chromium-review.googlesource.com/c/1364050
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Cr-Commit-Position: refs/heads/master@{#614279}
[modify] https://crrev.com/748875b36e91d5cd25bd8d653677fb5192203c97/third_party/blink/renderer/core/script/classic_pending_script.cc
[add] https://crrev.com/748875b36e91d5cd25bd8d653677fb5192203c97/third_party/blink/web_tests/http/tests/misc/script-moved-to-createDocument-crash.html

ClusterFuzz has detected this issue as fixed in range 614278:614279.

Detailed report: https://clusterfuzz.com/testcase?key=5970609349328896

Fuzzer: ochang_domfuzzer
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000040
Crash State:
  blink::SecurityOrigin::CanRequest
  blink::AllowedByNosniff::MimeTypeAsScript
  blink::ClassicPendingScript::GetSource
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=613878:613879
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=614278:614279

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5970609349328896

See https://www.chromium.org/developers/testing/memorysanitizer#TOC-Reproducing-ClusterFuzz-Bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5970609349328896 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.