Resource requests from Save-Page-As should go through CanRequestURL checks.

chrome/test/data/save_page/unauthorized-access.htm

Index: chrome/test/data/save_page/unauthorized-access.htm
diff --git a/chrome/test/data/save_page/unauthorized-access.htm b/chrome/test/data/save_page/unauthorized-access.htm
new file mode 100644
index 0000000000000000000000000000000000000000..2826319298732409d9e4dff8b7fdc09e11e27ea0
--- /dev/null
+++ b/chrome/test/data/save_page/unauthorized-access.htm
@@ -0,0 +1,16 @@
+<html>
+  <head>
+    <title>
+      Test page for saving page feature
+    </title>
+  </head>
+  <body>
+    When this page is loaded over HTTP (i.e. via embedded_test_server() from a
+    browser test), then it should be denied access to local resources, like the
+    file: URI from the img tag below.  This test verifies that access to the
+    file: URI will also be forbidden when saving all resources of the page
+    during Save-Page-As-Complete-HTML.
+    <img id="resource1"
+         src="file:///path-to-be-set-at-test-runtime/should-not-save.txt"></img>
+  </body>
+</html>