Reject cross-origin redirects for top-level classic worker scripts

This CL rejects cross-origin redirects in top-level scripts of
classic (dedicated | shared) workers in WorkerClassicScriptLoader,
to ensure that the response and request URLs of
a worker top-level script are same-origin in successful cases.

As most of cross-origin redirects should be already rejected
by loaders, this CL affects only cross-origin-redirected workers
created from an extension origin that has permissions and CSP
settings to access both the origins of the request and response URLs,
which I expect extremely rare.

This CL also adds browser_tests that cover such cases.

Bug: 861965, 861564
Change-Id: I80c27f9df550490384b5066b4b192d6415210b6d
Reviewed-by: Devlin <>
Reviewed-by: Kinuko Yasuda <>
Reviewed-by: Kouhei Ueno <>
Reviewed-by: Hiroki Nakagawa <>
Commit-Queue: Hiroshige Hayashizaki <>
Cr-Commit-Position: refs/heads/master@{#578376}
12 files changed