NSS Cros multiprofile: trust roots added by a profile shouldn't apply to other profiles.

net/cert/nss_profile_filter_chromeos.h

Index: net/cert/nss_profile_filter_chromeos.h
diff --git a/net/cert/nss_profile_filter_chromeos.h b/net/cert/nss_profile_filter_chromeos.h
index d5ff8186888495c78bf8831a1dd0e1ab4eab194f..3e2be2e217e48ac638881dbc5f78597a1dcb2fbf 100644
--- a/net/cert/nss_profile_filter_chromeos.h
+++ b/net/cert/nss_profile_filter_chromeos.h
@@ -16,17 +16,28 @@ class ResourceContext;
 
 namespace net {
 
+// On ChromeOS each user has separate NSS databases, which are loaded
+// simultaneously when multiple users are logged in at the same time. NSS
+// doesn't have built-in support to partition databases into separate groups, so
+// NSSProfileFilterChromeOS can be used to check if a given slot or certificate
+// should be used for a given user.
+//
+// Objects of this class are thread-safe except for the Init function, which if
+// called must not be called while other threads could access the object.
 class NET_EXPORT NSSProfileFilterChromeOS {
  public:
+  // Create a filter. Until Init is called (or if Init is called with NULL
+  // slot handles), the filter will allow only certs/slots from the read-only
+  // slots and the root CA module.
   NSSProfileFilterChromeOS();
   ~NSSProfileFilterChromeOS();
 
-  // Initialize with slot handles.
+  // Initialize with the slot handles to allow. This method is not thread-safe.
   void Init(crypto::ScopedPK11Slot public_slot,
             crypto::ScopedPK11Slot private_slot);
 
   bool IsModuleAllowed(PK11SlotInfo* slot) const;
-  bool IsCertAllowed(const scoped_refptr<X509Certificate>& cert) const;
+  bool IsCertAllowed(CERTCertificate* cert) const;
 
   class CertNotAllowedForProfilePredicate {
    public: