wpt.fyi shows a variety of iframe-related failures:
(using WebKitGTK as it contains more recent fixes in this area than the latest STP run)
Essentially, regardless of where the policy is specified, we fail to apply a policy on redirection from same (HTTP, not HTTPS) origin, and hence end up sending the Referrer when we shouldn't.
Created attachment 434478 [details]
Comment on attachment 434478 [details]
This also breaks several other tests. This isn't quite right.
SubresourceLoader::checkRedirectionCrossOriginAccessControl is also a good place to look around