Ok, I tested this with keepandshare.com (the free account lasts 15 days, I hope this will be enough). Here is my interpretation of the problem:
We start the request as if we were about to load a new page, but then decide it's going to be a download instead.
FrameLoaderClientHaiku::convertMainResourceToDownload is called with the existing request (properly configured with all the needed data)
This ultimately calls WebDownloadPrivate constructor with said request as an argument.
WebDownloadPrivate creates a new ResourceHandle from that request.
At some point in this, or perhaps a bit later, the cookies for the request get lost. So the "good" initial request ends up not being used (only the headers are parsed), and the request we attempt to use for downloading lacks the cookies, which obviously makes it redirect to the login page.