wpt.fyi shows a variety of iframe-related failures: https://wpt.fyi/results/referrer-policy/gen?label=master&label=experimental&product=chrome&product=firefox&product=webkitgtk&aligned&q=count%3A2%28status%3Apass%29%20none%28status%3Amissing%7Cstatus%3Anotrun%29%20%21sharedworker (using WebKitGTK as it contains more recent fixes in this area than the latest STP run) Essentially, regardless of where the policy is specified, we fail to apply a policy on redirection from same (HTTP, not HTTPS) origin, and hence end up sending the Referrer when we shouldn't.
Created attachment 434478 [details] Patch
Comment on attachment 434478 [details] Patch This also breaks several other tests. This isn't quite right.
SubresourceLoader::checkRedirectionCrossOriginAccessControl is also a good place to look around
<rdar://problem/81423168>