Do not trigger CrossSiteResourceHandler for streams or user certs.

content/browser/loader/buffered_resource_handler.cc

Index: content/browser/loader/buffered_resource_handler.cc
diff --git a/content/browser/loader/buffered_resource_handler.cc b/content/browser/loader/buffered_resource_handler.cc
index 2a5ef9cd120c0957467e0054c2a3b5f6900ca94e..ba23eaf326ed854b4548ba5bc90533b7be40fc14 100644
--- a/content/browser/loader/buffered_resource_handler.cc
+++ b/content/browser/loader/buffered_resource_handler.cc
@@ -307,6 +307,7 @@ bool BufferedResourceHandler::SelectNextHandler(bool* defer) {
 
   if (net::IsSupportedCertificateMimeType(mime_type)) {
     // Install certificate file.
+    info->set_is_download(true);
     scoped_ptr<ResourceHandler> handler(
         new CertificateResourceHandler(request()));
     return UseAlternateNextHandler(handler.Pass());
@@ -372,9 +373,11 @@ bool BufferedResourceHandler::UseAlternateNextHandler(
   // Inform the original ResourceHandler that this will be handled entirely by
   // the new ResourceHandler.
   // TODO(darin): We should probably check the return values of these.
-  // TODO(davidben): These DCHECKs do actually trigger.
   bool defer_ignored = false;
   next_handler_->OnResponseStarted(request_id, response_.get(), &defer_ignored);
+  // Although deferring OnResponseStarted is legal, the only downstream handler
+  // which does so is CrossSiteResourceHandler. Cross-site transitions should
+  // not trigger when switching handlers.
   DCHECK(!defer_ignored);
   net::URLRequestStatus status(net::URLRequestStatus::CANCELED,
                                net::ERR_ABORTED);