Canvas permission and HTTP auth still use FQDN isolation
In #15933 (moved), we relaxed our domain isolation to use TLD instead of FQDN, because FQDN isolation was breaking several sites. However, the HTTP auth and the canvas permissions were not using the same ThirdPartyUtil::GetFirstPartyHostForIsolation() API as everything else was.
We should fix their behavior to use TLD isolation for consistency. I bet some sites will still break due to FQDN isolated HTTP auth in particular..