CORS-RFC1918: Force preflights for external requests in DocumentThreadableLoader.
This patch introduces the requirement that "external requests" which go through
DocumentThreadableLoader (XHR, Fetch, etc) generate preflights containing an
`Access-Control-Request-External` header. The preflight must be answered with a new
`Access-Control-Allow-External` response header. Otherwise, the request will be
cancelled.
This is still behind a runtime flag in `test` mode, but it required updating a
number of tests that were making cross-origin requests from sandboxed origins to
`127.0.0.1`. I don't expect that to be a common pattern, so adding the relevant
headers seems like a reasonable way of addressing the problem for these tests.
BUG=
590714
Committed:
https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123
Cr-Commit-Position: refs/heads/master@{#392048}