Fix cookie exclusion for fetch CORS pre-flight requests (fixes #3596)

Cookies (and other credentials) will be excluded when appropriate by
downgrading |credentials_mode| from kSameOrigin to kOmit.

Improve logic for Origin header inclusion, including a fix for
Referrer/Origin calculation in URLRequestJob::ComputeReferrerForPolicy
when used with custom standard schemes.

Specify correct CookiePartitionKeyCollection when loading cookies.

To test:
- Run tests from https://browseraudit.com/ with and without
  `--disable-request-handling-for-testing`. Results are the same.
- Run `ceftests --gtest_filter=CorsTest.*`.

patch/patches/net_url_request_3596.patch

@@ -0,0 +1,39 @@
+diff --git net/url_request/url_request_job.cc net/url_request/url_request_job.cc
+index 0e585570d3fa6..7158d4e8df44e 100644
+--- net/url_request/url_request_job.cc
++++ net/url_request/url_request_job.cc
+@@ -34,6 +34,7 @@
+ #include "net/ssl/ssl_private_key.h"
+ #include "net/url_request/redirect_util.h"
+ #include "net/url_request/url_request_context.h"
++#include "url/url_util.h"
+ 
+ namespace net {
+ 
+@@ -46,6 +47,16 @@ base::Value::Dict SourceStreamSetParams(SourceStream* source_stream) {
+   return event_params;
+ }
+ 
++bool IsSecureScheme(const GURL& url) {
++  if (!url.has_scheme()) {
++    return false;
++  }
++  if (GURL::SchemeIsCryptographic(url.scheme_piece())) {
++    return true;
++  }
++  return base::Contains(url::GetSecureSchemes(), url.scheme_piece());
++}
++
+ }  // namespace
+ 
+ // Each SourceStreams own the previous SourceStream in the chain, but the
+@@ -334,8 +345,7 @@ GURL URLRequestJob::ComputeReferrerForPolicy(
+   }
+ 
+   bool secure_referrer_but_insecure_destination =
+-      original_referrer.SchemeIsCryptographic() &&
+-      !destination.SchemeIsCryptographic();
++      IsSecureScheme(original_referrer) && !IsSecureScheme(destination);
+ 
+   switch (policy) {
+     case ReferrerPolicy::CLEAR_ON_TRANSITION_FROM_SECURE_TO_INSECURE: