Enable CorbAllowlistAlsoAppliesToOorCors by default.

CorbAllowlistAlsoAppliesToOorCors (aka CORS-for-content-scripts) has
been shipping to the stable channel with Chrome85 since Aug 25th (~2
weeks ago).  There have been just a handful of allowlisting requests so
far - therefore, it seems okay to declare that this change has
successfully shipped to the stable channel.

This CL transitions enabling CorbAllowlistAlsoAppliesToOorCors away from
1) fieldtrial_testing_config.json and 2) field trial config (this
includes preserving/copying the allowlisted extensions from
site_isolation/data/CorsAndCorbAllowlist.gcl to
//extensions/browser/url_loader_factory_manager.cc).

After this CL we still retain an ability to allowlist extensions:
1. Via field trial config (affecting Chrome versions prior to this CL
   - Chrome 85, Chrome 86 and a little bit of Chrome 87)
2. Via the hardcoded allowlist in
  //extensions/browser/url_loader_factory_manager.cc (although this
  ability will go away soon - after https://crrev.com/c/2388709).

This CL unblocks the following follow-up CLs:
1. Adding |max_version| to the field trial config
   (google3 - cl/330527651)
2. Starting deprecation of the allowlist
   (chromium3 - https://crrev.com/c/2388709)

Bug: 920638
Change-Id: I635eb0777dc83a7ad448f57b9de388ae071e0c9b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2359393
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#805490}

docs/security/compromised-renderers.md

@@ -304,9 +304,10 @@ Protection techniques:
   https://crbug.com/920634 (making
   `network::ResourceRequest::request_initiator` unspoofable without
   having to go through `GetTrustworthyInitiator`) and
-  https://crbug.com/920638 (making
-  `network::ResourceRequest::isolated_world_origin` irrelevant for
-  security decisions).
+  https://crbug.com/1098410 (removing
+  `network::ResourceRequest::isolated_world_origin` which is used
+  in some security decisions instead of `request_initiator` to support
+  an allowlist of extensions that need to bypass CORB/CORS).
 
 
 ## (WIP) SameSite cookies

services/network/public/cpp/features.cc

@@ -169,7 +169,7 @@ const base::FeatureParam<std::string> kEmergencyLegacyCookieAccessParam{
 // [1]
 // https://www.chromium.org/Home/chromium-security/extension-content-script-fetches
 const base::Feature kCorbAllowlistAlsoAppliesToOorCors = {
-    "CorbAllowlistAlsoAppliesToOorCors", base::FEATURE_DISABLED_BY_DEFAULT};
+    "CorbAllowlistAlsoAppliesToOorCors", base::FEATURE_ENABLED_BY_DEFAULT};
 const char kCorbAllowlistAlsoAppliesToOorCorsParamName[] =
     "AllowlistForCorbAndCors";
 

testing/variations/fieldtrial_testing_config.json

@@ -1485,24 +1485,6 @@
             ]
         }
     ],
-    "CorbAllowlistAlsoAppliesToOorCors": [
-        {
-            "platforms": [
-                "chromeos",
-                "linux",
-                "mac",
-                "windows"
-            ],
-            "experiments": [
-                {
-                    "name": "Enabled",
-                    "enable_features": [
-                        "CorbAllowlistAlsoAppliesToOorCors"
-                    ]
-                }
-            ]
-        }
-    ],
     "CrOSMinFilelistKB": [
         {
             "platforms": [