Prevent redirects to non-HTTP URLs when fetching CRLs/OCSP responses

When using NSS for certificate verification, add a check when fetching CRLs/OCSP responses to prevent redirects to non-HTTP URLs. This matches the initial check when first called from NSS to create the URLRequest.

In particular, fetching a CRL/OCSP response over HTTPS is troublesome, as the certificate sent by the responder may also need revocation checking, potentially causing revocation checking loops. 

The existing check only considered the initial URL scheme supplied by NSS. However, if the server issues a redirect, the new URL scheme scheme was not filtered.

BUG=64521
TEST=none

Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=68329

[Ryan Sleevi, 2010-11-28 09:06:59]

ukai: Would you be willing to review this? Since you were responsible for most
of the code here, I thought you'd be best to review.

To follow up my comments on Issue 64521, the existing code does check the
incoming scheme, as specified by the AIA extension, to ensure it matches HTTP -
http://src.chromium.org/viewvc/chrome/trunk/src/net/ocsp/nss_ocsp.cc?annotate...

The problem is that the server is redirecting the request for the CRL,
http://pki.nau.edu/CRL/Woolywillow.froot.nau.edu_NAU%20Online%20Enterprise%20...
to
https://pki.nau.edu/CRL/Woolywillow.froot.nau.edu_NAU%20Online%20Enterprise%2...

The URLRequest follows the redirect, which is how it ends up in the loop.

[Ryan Sleevi, 2010-11-29 16:34:27]

+cc agl: I didn't update http://crbug.com/64521 with the info yet. HTTP is
disallowed for OCSP/CRL/AIAs in the initial URL, but it wasn't being disabled
for redirects as well.

[Ryan Sleevi, 2010-12-05 19:58:22]

ukai: Ping?

[ukai, 2010-12-06 01:07:50]

LGTM

[wtc, 2010-12-08 20:07:13]

LGTM.