Tests whether the allowlist filter correctly evaluates the final destination of redirect chains, and whether equivalent host/IP notations are canonicalized to the same policy decision. A filter that only checks the initial URL passes a fetch to /redir/301 (same-origin) but the redirect target https://httpbin.org/get is external and must be blocked. The server exposes /redir/301, /redir/302, /redir/307, /redir/308, /redir/chain, and /redir/long/1 solely for this suite.