diff --git a/caps/tests/gtest/TestRedirectChainURITruncation.cpp b/caps/tests/gtest/TestRedirectChainURITruncation.cpp
index 2ce6640dc2ed..34c633499c71 100644
--- a/caps/tests/gtest/TestRedirectChainURITruncation.cpp
+++ b/caps/tests/gtest/TestRedirectChainURITruncation.cpp
@@ -6,13 +6,15 @@
 #include "mozilla/ContentPrincipal.h"
 #include "mozilla/NullPrincipal.h"
 #include "mozilla/SystemPrincipal.h"
+#include "mozilla/ExpandedPrincipal.h"
 #include "nsContentUtils.h"
 #include "mozilla/LoadInfo.h"
 
 namespace mozilla {
 
 void checkPrincipalTruncation(nsIPrincipal* aPrincipal,
-                              const nsACString& aExpectedSpec) {
+                              const nsACString& aExpectedSpec = ""_ns,
+                              const nsTArray<nsCString>& aExpectedSpecs = {}) {
   nsCOMPtr<nsIPrincipal> truncatedPrincipal =
       net::CreateTruncatedPrincipal(aPrincipal);
   ASSERT_TRUE(truncatedPrincipal);
@@ -51,6 +53,20 @@ void checkPrincipalTruncation(nsIPrincipal* aPrincipal,
     return;
   }
 
+  if (aPrincipal->GetIsExpandedPrincipal()) {
+    const nsTArray<nsCOMPtr<nsIPrincipal>>& truncatedAllowList =
+        BasePrincipal::Cast(truncatedPrincipal)
+            ->As<ExpandedPrincipal>()
+            ->AllowList();
+
+    for (size_t i = 0; i < aExpectedSpecs.Length(); ++i) {
+      nsAutoCString principalSpec;
+      truncatedAllowList[i]->GetAsciiSpec(principalSpec);
+      ASSERT_TRUE(principalSpec.Equals(aExpectedSpecs[i]));
+    }
+    return;
+  }
+
   if (aPrincipal->GetIsContentPrincipal()) {
     nsAutoCString principalSpec;
     truncatedPrincipal->GetAsciiSpec(principalSpec);
@@ -62,6 +78,11 @@ void checkPrincipalTruncation(nsIPrincipal* aPrincipal,
   ADD_FAILURE();
 }
 
+void checkPrincipalTruncation(nsIPrincipal* aPrincipal,
+                              const nsTArray<nsCString>& aExpectedSpecs = {}) {
+  checkPrincipalTruncation(aPrincipal, ""_ns, aExpectedSpecs);
+}
+
 TEST(RedirectChainURITruncation, ContentPrincipal)
 {
   // ======================= HTTP Scheme =======================
@@ -169,4 +190,42 @@ TEST(RedirectChainURITruncation, SystemPrincipal)
   checkPrincipalTruncation(principal, ""_ns);
 }
 
+TEST(RedirectChainURITruncation, ExtendedPrincipal)
+{
+  // ======================= HTTP Scheme =======================
+  nsAutoCString httpSpec(
+      "http://root:toor@www.example.com:200/foo/bar/baz.html?qux#thud");
+  nsCOMPtr<nsIURI> uri;
+  nsresult rv = NS_NewURI(getter_AddRefs(uri), httpSpec);
+  ASSERT_EQ(rv, NS_OK);
+
+  nsCOMPtr<nsIPrincipal> firstContentPrincipal;
+  OriginAttributes attrs;
+  firstContentPrincipal = BasePrincipal::CreateContentPrincipal(uri, attrs);
+  ASSERT_TRUE(firstContentPrincipal);
+
+  // ======================= HTTPS Scheme =======================
+  nsCOMPtr<nsIPrincipal> secondContentPrincipal;
+  nsAutoCString httpsSpec(
+      "https://root:toor@www.example.com:200/foo/bar/baz.html?qux#thud");
+  rv = NS_NewURI(getter_AddRefs(uri), httpsSpec);
+  ASSERT_EQ(rv, NS_OK);
+
+  secondContentPrincipal = BasePrincipal::CreateContentPrincipal(uri, attrs);
+  ASSERT_TRUE(secondContentPrincipal);
+
+  // ======================= ExpandedPrincipal =======================
+  const nsTArray<nsCString>& expectedSpecs = {
+      "http://www.example.com:200/foo/bar/baz.html"_ns,
+      "https://www.example.com:200/foo/bar/baz.html"_ns,
+  };
+  nsTArray<nsCOMPtr<nsIPrincipal>> allowList = {firstContentPrincipal,
+                                                secondContentPrincipal};
+  nsCOMPtr<nsIPrincipal> principal =
+      ExpandedPrincipal::Create(allowList, attrs);
+  ASSERT_TRUE(principal);
+
+  checkPrincipalTruncation(principal, expectedSpecs);
+}
+
 }  // namespace mozilla
diff --git a/netwerk/base/LoadInfo.cpp b/netwerk/base/LoadInfo.cpp
index cb996453983e..19c04157f9c7 100644
--- a/netwerk/base/LoadInfo.cpp
+++ b/netwerk/base/LoadInfo.cpp
@@ -1502,10 +1502,26 @@ already_AddRefed<nsIPrincipal> CreateTruncatedPrincipal(
     return NullPrincipal::CreateWithInheritedAttributes(truncatedPrecursor);
   }
 
+  // Expanded Principals shouldn't contain sensitive information but their
+  // allowlists might so we truncate that information here.
+  if (aPrincipal->GetIsExpandedPrincipal()) {
+    nsTArray<nsCOMPtr<nsIPrincipal>> truncatedAllowList;
+
+    for (const auto& allowedPrincipal : BasePrincipal::Cast(aPrincipal)
+                                            ->As<ExpandedPrincipal>()
+                                            ->AllowList()) {
+      nsCOMPtr<nsIPrincipal> truncatedPrincipal =
+          CreateTruncatedPrincipal(allowedPrincipal);
+
+      truncatedAllowList.AppendElement(truncatedPrincipal);
+    }
+
+    return ExpandedPrincipal::Create(truncatedAllowList,
+                                     aPrincipal->OriginAttributesRef());
+  }
+
   // If we hit this assertion we need to update this function to add the
   // Principals and URIs seen as new corner cases to handle.
-  // For example we may need to do this for Expanded Principals and moz-icon
-  // URIs.
   MOZ_ASSERT(false, "Unhandled Principal or URI type encountered.");
 
   truncatedPrincipal = aPrincipal;