chore: cherry-pick 85123ea32b from chromium (#31202)

patches/chromium/.patches

@@ -146,3 +146,4 @@ cherry-pick-ddc4cf156505.patch
 skip_webgl_conformance_programs_program-test_html_on_all_platforms.patch
 linux_sandbox_update_syscall_numbers_for_all_platforms.patch
 linux_sandbox_return_enosys_for_clone3.patch
+kill_a_renderer_if_it_provides_an_unexpected_frameownerelementtype.patch

patches/chromium/kill_a_renderer_if_it_provides_an_unexpected_frameownerelementtype.patch

@@ -0,0 +1,72 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jorge Lucangeli Obes <jorgelo@chromium.org>
+Date: Wed, 22 Sep 2021 20:27:54 +0000
+Subject: Kill a renderer if it provides an unexpected FrameOwnerElementType
+
+(Merge to M93.)
+
+Portals and MPArch based Fenced Frames are not created as normal
+subframes.
+
+(cherry picked from commit beebc8aec0f8f9e627e69ad67ef311903924b384)
+
+Bug: 1251727
+Change-Id: I81326d2caf2038aec2f77cf577161a24bb9b65b2
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3174272
+Commit-Queue: Kevin McNee <mcnee@chromium.org>
+Commit-Queue: Adrian Taylor <adetaylor@chromium.org>
+Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#923644}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3174713
+Auto-Submit: Jorge Lucangeli Obes <jorgelo@chromium.org>
+Reviewed-by: Dominic Farolino <dom@chromium.org>
+Reviewed-by: Kevin McNee <mcnee@chromium.org>
+Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
+Cr-Commit-Position: refs/branch-heads/4577@{#1266}
+Cr-Branched-From: 761ddde228655e313424edec06497d0c56b0f3c4-refs/heads/master@{#902210}
+
+diff --git a/content/browser/bad_message.h b/content/browser/bad_message.h
+index e198d661c711dc648a4e4c2249e0a60f69c406da..d1821c863d998cb010d8f5d12c12d79b18075a9d 100644
+--- a/content/browser/bad_message.h
++++ b/content/browser/bad_message.h
+@@ -269,6 +269,8 @@ enum BadMessageReason {
+   PAYMENTS_WITHOUT_PERMISSION = 241,
+   WEB_BUNDLE_INVALID_NAVIGATION_URL = 242,
+   WCI_INVALID_DOWNLOAD_IMAGE_RESULT = 243,
++  FARI_LOGOUT_BAD_ENDPOINT = 250,
++  RFH_CHILD_FRAME_UNEXPECTED_OWNER_ELEMENT_TYPE = 251,
+
+   // Please add new elements here. The naming convention is abbreviated class
+   // name (e.g. RenderFrameHost becomes RFH) plus a unique description of the
+diff --git a/content/browser/renderer_host/render_frame_host_impl.cc b/content/browser/renderer_host/render_frame_host_impl.cc
+index 29571b8ab59518fe93e35c1cc7f113e65ed39420..39717e91a88f04d42b489b2217c67f65ee797b4c 100644
+--- a/content/browser/renderer_host/render_frame_host_impl.cc
++++ b/content/browser/renderer_host/render_frame_host_impl.cc
+@@ -2771,6 +2771,14 @@ void RenderFrameHostImpl::OnCreateChildFrame(
+     // is invalid.
+     bad_message::ReceivedBadMessage(
+         GetProcess(), bad_message::RFH_CHILD_FRAME_NEEDS_OWNER_ELEMENT_TYPE);
++    return;
++  }
++  if (owner_type == blink::mojom::FrameOwnerElementType::kPortal) {
++    // Portals are not created through this child frame code path.
++    bad_message::ReceivedBadMessage(
++        GetProcess(),
++        bad_message::RFH_CHILD_FRAME_UNEXPECTED_OWNER_ELEMENT_TYPE);
++    return;
+   }
+
+   DCHECK(devtools_frame_token);
+diff --git a/tools/metrics/histograms/enums.xml b/tools/metrics/histograms/enums.xml
+index ed247042e6c0e2bb2b63bf102622f7bfd6ea9ac4..d6dd81a4af0fb71b0ab6b410bfb20737dfdbdbf9 100644
+--- a/tools/metrics/histograms/enums.xml
++++ b/tools/metrics/histograms/enums.xml
+@@ -7224,6 +7224,8 @@ Called by update_bad_message_reasons.py.-->
+   <int value="241" label="PAYMENTS_WITHOUT_PERMISSION"/>
+   <int value="242" label="WEB_BUNDLE_INVALID_NAVIGATION_URL"/>
+   <int value="243" label="WCI_INVALID_DOWNLOAD_IMAGE_RESULT"/>
++  <int value="250" label="FARI_LOGOUT_BAD_ENDPOINT"/>
++  <int value="251" label="RFH_CHILD_FRAME_UNEXPECTED_OWNER_ELEMENT_TYPE"/>
+ </enum>
+
+ <enum name="BadMessageReasonExtensions">