Block 'ftp:' subresource requests from non-'ftp:' pages.

third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

Index: third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
diff --git a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
index e301c9dbf93e549a94e2437df848e0796b4bd5e8..dc641a6aded042f8c6ee8d9a1520c12dbaad2d49 100644
--- a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
+++ b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
@@ -796,6 +796,11 @@ ResourceRequestBlockedReason FrameFetchContext::canRequestInternal(
             frame()->document()->getSecurityOrigin()->protocol())) {
       Deprecation::countDeprecation(
           frame()->document(), UseCounter::LegacyProtocolEmbeddedAsSubresource);
+
+      // TODO(mkwst): Drop the runtime-enabled check in M59:
+      // https://www.chromestatus.com/feature/5709390967472128
+      if (RuntimeEnabledFeatures::blockLegacySubresourcesEnabled())
+        return ResourceRequestBlockedReason::Origin;
     }
     if (!url.user().isEmpty() || !url.pass().isEmpty()) {
       Deprecation::countDeprecation(