Ensure that mixed content checks preceed HSTS checks.

third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-iframe-with-hsts.https.html

Index: third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-iframe-with-hsts.https.html
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-iframe-with-hsts.https.html b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-iframe-with-hsts.https.html
new file mode 100644
index 0000000000000000000000000000000000000000..425c6884d11f30ee6e38027f641bcb2bc32193d9
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-iframe-with-hsts.https.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+<script>
+  window.testRunner.dumpFrameLoadCallbacks();
+
+  async_test(t => {
+    fetch("https://hsts-example.test:8443/security/resources/hsts.php?as-fetch")
+      .then(t.step_func(_ => {
+        var i = document.createElement('iframe');
+
+        // Note: HTTP, not HTTPS:
+        i.src = "http://hsts-example.test:8443/security/resources/hsts.php";
+        window.onmessage = t.unreached_func("No message should be received from the frame.");
+
+        // Give the message a chance to get through.
+        document.body.appendChild(i);
+        requestAnimationFrame(_ => t.done());
+      }));
+  }, "HSTS does not bypass MIX.");
+</script>