When the server already responses with additional headers about CSP or referrer-policy, we should respect it and restrict the outgoing requests accordingly. Currently only the referrerpolicy passed in the Link header directly is parsed (e.g. via Link: <style.css>; rel=preload; as=style; referrerpolicy=no-referrer). There is no link attribute for CSP in the link spec, so it's only possible to specify them via http-header for early hint requests.

This is not critical for the first patch, because only same-origin requests are made for now (and early hints are disabled by default for now). It becomes more important when preloading cross origin requests (Bug 1744822)

I've moved the refererre-policy parsing and application into a separate issue, bug 1799166

Comment on attachment 9301827 [details]
wip Bug 1765289 - Early Hints: Parse additional header fields for content-policy-security and referrer-policy

Revision D161182 was moved to bug 1799166. Setting attachment 9301827 [details] to obsolete.

We're also going to cover the scenario described by :manuel here.

Server response:

    103 Early Hints
    Content-Security-Policy: style-src: https://example.com/
    Link: https://example.com/style.css; rel=preload; as=style referrerpolicy=no-referrer

    200 OK
    Content-Security-Policy: style-src: https://example.com/ # <-- Two test cases, one with this line, one without

Response when requesting the resource https://example.com/style.css

    301 Moved Permanently
    Location: https://example.net/style.css

https://hg.mozilla.org/mozilla-central/rev/4327c23b4f93