NSS Cros multiprofile: trust roots added by a profile shouldn't apply to other profiles.

net/cert/nss_profile_filter_chromeos.h

Index: net/cert/nss_profile_filter_chromeos.h
diff --git a/net/cert/nss_profile_filter_chromeos.h b/net/cert/nss_profile_filter_chromeos.h
index ae310c69c3d0117462ffa67102f041ef8e60302a..469861987079347f1d0f18ab3bab879ade5c1eb3 100644
--- a/net/cert/nss_profile_filter_chromeos.h
+++ b/net/cert/nss_profile_filter_chromeos.h
@@ -14,20 +14,32 @@ namespace net {
 
 class X509Certificate;
 
+// On ChromeOS each user has separate NSS databases, which are loaded
+// simultaneously when multiple users are logged in at the same time. NSS
+// doesn't have built-in support to partition databases into separate groups, so
+// NSSProfileFilterChromeOS can be used to check if a given slot or certificate
+// should be used for a given user.
+//
+// Objects of this class are thread-safe except for the Init function, which if
+// called must not be called while other threads could access the object.
 class NET_EXPORT NSSProfileFilterChromeOS {
  public:
+  // Create a filter. Until Init is called (or if Init is called with NULL
+  // slot handles), the filter will allow only certs/slots from the read-only
+  // slots and the root CA module.
   NSSProfileFilterChromeOS();
   NSSProfileFilterChromeOS(const NSSProfileFilterChromeOS& other);
   ~NSSProfileFilterChromeOS();
 
   NSSProfileFilterChromeOS& operator=(const NSSProfileFilterChromeOS& other);
 
-  // Initializes the filter with slot handles.
+  // Initialize the filter with the slot handles to allow. This method is not
+  // thread-safe.
   void Init(crypto::ScopedPK11Slot public_slot,
             crypto::ScopedPK11Slot private_slot);
 
   bool IsModuleAllowed(PK11SlotInfo* slot) const;
-  bool IsCertAllowed(const scoped_refptr<X509Certificate>& cert) const;
+  bool IsCertAllowed(CERTCertificate* cert) const;
 
   class CertNotAllowedForProfilePredicate {
    public: