This is to do with ITP's stripping of referrers, after Referrer-Policy has already been applied. https://webkit.org/blog/9661/preventing-tracking-prevention-tracking/ says: > ITP now downgrades all cross-site request referrer headers to just the page’s origin. Previously, this was only done for cross-site requests to classified domains. It is perhaps surprising that we're doing this for cross-site rather than cross-origin, given it means that our behaviour cannot be described in terms of Referrer-Policy alone. It would perhaps be worthwhile consider simply considering all weaker Referrer-Policy policies as identical to origin-when-cross-origin (v. the (non-existent) "origin-when-cross-site" of our current behaviour), or even just never allow anything weaker than the default strict-origin-when-cross-origin.

I did not find the blog post describing the current behavior. The browser compat data currently says Safari removed support for 'unsafe-url' in version 13: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#browser_compatibility Brave seems to be never allowing anything weaker than the default `strict-origin-when-cross-origin`. Firefox seems to be using the same `origin-when-cross-site`: https://bugzilla.mozilla.org/show_bug.cgi?id=1891510

<rdar://problem/126863403>