We should probably merge https://chromium.googlesource.com/chromium/blink/+/2853f594838e8bf24813482ad02f87853cae4366 CSP: Redirects in DocumentThreadableLoader should respect the active policy. Canary currently fails test 150[1] and 156[2] of Erlend Oftedal's "CSP Testing" checks[3]. Both fail because we currently only check the URL to which an XHR connects during 'xhr.open()'. This patch adjusts the checks happening inside DocumentThreadableLoader::redirectReceived in order to verify that the URL to which we've been redirected passes through the page's Content Security Policy as well. [1]: http://csptesting.herokuapp.com/test/load/150 [2]: http://csptesting.herokuapp.com/test/load/156 [3]: http://csptesting.herokuapp.com/
*** This bug has been marked as a duplicate of bug 69359 ***