Do not update insecure navigations set in non-Document contexts

This will fix crashes that
https://chromium-review.googlesource.com/c/chromium/src/+/1139074
would cause, by preventing WorkerOrWorkletGlobalScope::Url() access
during WorkerGlobalScope initialization.

Tests: external/wpt/upgrade-insecure-requests/
Bug: 861564, 878274
Change-Id: I21c3e435784640ba7baae803b0edfac290ed5366
Reviewed-on: https://chromium-review.googlesource.com/c/1457457
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Cr-Commit-Position: refs/heads/master@{#631847}
diff --git a/third_party/blink/renderer/core/frame/csp/content_security_policy_test.cc b/third_party/blink/renderer/core/frame/csp/content_security_policy_test.cc
index f6065a4..3706b37 100644
--- a/third_party/blink/renderer/core/frame/csp/content_security_policy_test.cc
+++ b/third_party/blink/renderer/core/frame/csp/content_security_policy_test.cc
@@ -68,16 +68,15 @@
                           kContentSecurityPolicyHeaderSourceHTTP);
     EXPECT_EQ(test.expected_policy, csp->GetInsecureRequestPolicy());
 
-    execution_context = CreateExecutionContext();
-    execution_context->SetSecurityOrigin(secure_origin);
-    execution_context->SetURL(secure_url);
-    csp->BindToDelegate(execution_context->GetContentSecurityPolicyDelegate());
-    EXPECT_EQ(test.expected_policy,
-              execution_context->GetInsecureRequestPolicy());
+    Document* document = Document::CreateForTest();
+    document->SetSecurityOrigin(secure_origin);
+    document->SetURL(secure_url);
+    csp->BindToDelegate(document->GetContentSecurityPolicyDelegate());
+    EXPECT_EQ(test.expected_policy, document->GetInsecureRequestPolicy());
     bool expect_upgrade = test.expected_policy & kUpgradeInsecureRequests;
     EXPECT_EQ(expect_upgrade,
-              execution_context->InsecureNavigationsToUpgrade()->Contains(
-                  execution_context->Url().Host().Impl()->GetHash()));
+              document->InsecureNavigationsToUpgrade()->Contains(
+                  document->Url().Host().Impl()->GetHash()));
   }
 
   // Report-Only
diff --git a/third_party/blink/renderer/core/frame/csp/execution_context_csp_delegate.cc b/third_party/blink/renderer/core/frame/csp/execution_context_csp_delegate.cc
index 9fa20c7..46a0201 100644
--- a/third_party/blink/renderer/core/frame/csp/execution_context_csp_delegate.cc
+++ b/third_party/blink/renderer/core/frame/csp/execution_context_csp_delegate.cc
@@ -75,11 +75,14 @@
     // Step 4. Insert tuple into settings’s upgrade insecure navigations set.
     // [spec text]
     Count(WebFeature::kUpgradeInsecureRequestsEnabled);
-    if (!Url().Host().IsEmpty()) {
+    // We don't add the hash if |document| is null, to prevent
+    // WorkerGlobalScope::Url() before it's ready. https://crbug.com/861564
+    // This should be safe, because the insecure navigations set is not used
+    // in non-Document contexts.
+    if (document && !Url().Host().IsEmpty()) {
       uint32_t hash = Url().Host().Impl()->GetHash();
       security_context.AddInsecureNavigationUpgrade(hash);
-      if (document)
-        document->DidEnforceInsecureNavigationsSet();
+      document->DidEnforceInsecureNavigationsSet();
     }
   }
 }