https://github.com/w3c/webappsec-credential-management/pull/114 shifts
the restriction on nested usage of `navigator.credentials.{get,store}`
from a complete prohibition to one which applies more narrowly to
`PasswordCredential` and `FederatedCredential`.

This patch aligns Blink's behavior with the spec:

1.  The nested-context restriction applies only to `get()` and `store()`
    operations that request `password` or `federated` credential types.
    `preventSilentAccess()` and `create()` can be called anywhere.

2.  Nested contexts that are same-origin with all of their ancestors are
    carved out from the exclusion above. So, `example.com` embedded in
    `not-example.com` will trigger a rejection, while `example.com`
    embedded in `example.com` will not.

3.  Nested usage triggers a `NotAllowedError` as opposed to the current
    `SecurityError`.

Bug: 785172
Change-Id: If0e75d7b84e91ed7f0eaf1220e90a1c307a85312
Reviewed-on: https://chromium-review.googlesource.com/771190
Commit-Queue: Mike West <[email protected]>
Reviewed-by: Dominic Battré <[email protected]>
Cr-Commit-Position: refs/heads/master@{#517824}