Adding upstream version 110.0.1.upstream/110.0.1upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

51 files changed, 1834 insertions, 0 deletions

diff --git a/testing/web-platform/tests/referrer-policy/generic/first-meta-changed-after-second-added.http.html b/testing/web-platform/tests/referrer-policy/generic/first-meta-changed-after-second-added.http.html
new file mode 100644
index 0000000000..2ee5ade8c0
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/first-meta-changed-after-second-added.http.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+
+  <meta name="referrer" content="no-referrer" id="referrermeta">
+</head>
+<body>
+  <script>
+    async function fetchAndGetReferrer() {
+      let response = await fetch('/common/security-features/subresource/xhr.py');
+      let data = await response.json();
+      return data.headers.referer;
+    }
+
+    promise_test(async t => {
+      assert_equals(await fetchAndGetReferrer(), undefined,
+                    'referrer should not be set');
+
+      // Add second meta _before_ first meta.
+      const first_meta = document.getElementById('referrermeta');
+      const second_meta = document.createElement('meta');
+      second_meta.name = 'referrer';
+      second_meta.content = 'strict-origin';
+      document.head.appendChild(second_meta);
+      assert_equals(await fetchAndGetReferrer(), window.location.origin + '/',
+                    'referrer should be origin only');
+
+      // Update content attribute of first meta.
+      first_meta.content = 'unsafe-url';
+      assert_equals(await fetchAndGetReferrer(), window.location.href,
+                    'referrer should be full url');
+      }, 'document referrer policy is the value of the most recently modified <meta name="referrer"');
+
+  </script>
+</body>
diff --git a/testing/web-platform/tests/referrer-policy/generic/iframe-src-change.html b/testing/web-platform/tests/referrer-policy/generic/iframe-src-change.html
new file mode 100644
index 0000000000..15202a76a1
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/iframe-src-change.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+<script>
+function nextMessage() {
+  return new Promise((resolve, reject) => {
+    window.addEventListener('message', e => resolve(e.data), {once: true});
+  });
+}
+
+promise_test(async () => {
+  let iframe = document.createElement('iframe');
+  iframe.setAttribute('src', '/common/security-features/subresource/document.py?first')
+  iframe.setAttribute('referrerpolicy', 'no-referrer');
+  document.body.appendChild(iframe);
+
+  try {
+    {
+      let {referrer: documentReferrer, headers: {referer: httpReferrer}} = await nextMessage();
+      assert_equals(httpReferrer, undefined, 'expected no HTTP Referer header on initial load');
+      assert_equals(documentReferrer, undefined, 'expected no document.referrer on initial load');
+    }
+
+    iframe.setAttribute('src', '/common/security-features/subresource/document.py?second');
+
+    {
+      let {referrer: documentReferrer, headers: {referer: httpReferrer}} = await nextMessage();
+      assert_equals(httpReferrer, undefined, 'expected no HTTP Referer header on src change');
+      assert_equals(documentReferrer, undefined, 'expected no document.referrer on src change');
+    }
+  } finally {
+    iframe.remove();
+  }
+}, "Checks that referrerpolicy is respected when an iframe's src changes.");
+</script>
+</body>
diff --git a/testing/web-platform/tests/referrer-policy/generic/iframe-upgrade-request-to-cross-origin.sub.html b/testing/web-platform/tests/referrer-policy/generic/iframe-upgrade-request-to-cross-origin.sub.html
new file mode 100644
index 0000000000..4040072ab9
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/iframe-upgrade-request-to-cross-origin.sub.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<link rel="author" title="Dominic Farolino" href="dom@chromium.org">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<!-- We need to set the CSP via the <meta> tag. If we were to use the HTTP
+     header, we'd have to specify the absolute HTTPS URL of the test harness and
+     reporter, but then this file is not recognized as a test harness test, and
+     will not run -->
+<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
+<body>
+<iframe id="iframe"></iframe>
+<script>
+async_test(t => {
+  const iframe = document.querySelector('iframe');
+  iframe.src =
+    'http://{{domains[www]}}:{{ports[https][0]}}/referrer-policy/generic/resources/referrer.py';
+
+  addEventListener('message', t.step_func_done(msg => {
+    const referrer = msg.data;
+    assert_equals(referrer, new URL(location.href).origin + '/',
+      "The referrer header sent for the iframe request should be redacted");
+  }));
+}, "If an insecure iframe request is upgraded to https to be cross-origin, " +
+   "referrer policies that consider same-origin-ness should be applied correctly");
+</script>
+</body>
diff --git a/testing/web-platform/tests/referrer-policy/generic/iframe-upgrade-request-to-cross-origin.sub.html.headers b/testing/web-platform/tests/referrer-policy/generic/iframe-upgrade-request-to-cross-origin.sub.html.headers
new file mode 100644
index 0000000000..ad768e6329
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/iframe-upgrade-request-to-cross-origin.sub.html.headers
@@ -0,0 +1 @@
+Referrer-Policy: origin-when-cross-origin
diff --git a/testing/web-platform/tests/referrer-policy/generic/iframe-upgrade-request-to-same-origin.sub.https.html b/testing/web-platform/tests/referrer-policy/generic/iframe-upgrade-request-to-same-origin.sub.https.html
new file mode 100644
index 0000000000..f9163bec54
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/iframe-upgrade-request-to-same-origin.sub.https.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<link rel="author" title="Dominic Farolino" href="dom@chromium.org">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+<iframe id="iframe"></iframe>
+<script>
+async_test(t => {
+  const iframe = document.querySelector('iframe');
+  const insecure_origin = new URL(location.href).origin.replace("https", "http");
+  iframe.src = insecure_origin + '/referrer-policy/generic/resources/referrer.py';
+
+  addEventListener('message', t.step_func_done(msg => {
+    const referrer = msg.data;
+    assert_equals(referrer, location.href,
+      "The referrer header sent for the iframe request should not be redacted");
+  }));
+}, "If an insecure iframe request is upgraded to https to be same-origin, " +
+   "referrer policies that consider same-origin-ness should be applied correctly");
+</script>
+</body>
diff --git a/testing/web-platform/tests/referrer-policy/generic/iframe-upgrade-request-to-same-origin.sub.https.html.headers b/testing/web-platform/tests/referrer-policy/generic/iframe-upgrade-request-to-same-origin.sub.https.html.headers
new file mode 100644
index 0000000000..fd9ee0f032
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/iframe-upgrade-request-to-same-origin.sub.https.html.headers
@@ -0,0 +1,2 @@
+Content-Security-Policy: upgrade-insecure-requests
+Referrer-Policy: origin-when-cross-origin
diff --git a/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-about-blank.html b/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-about-blank.html
new file mode 100644
index 0000000000..fc7d39a4cf
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-about-blank.html
@@ -0,0 +1,107 @@
+<!doctype html>
+<meta charset="utf-8">
+<title>Referrer Policy: iframe src="about:blank"</title>
+<link rel="author" title="Hiroshige Hayashizaki" href="mailto:hiroshige@chromium.org">
+<link rel="author" title="Dom Farolino" href="mailto:dom@chromium.org">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<meta name="referrer" content="origin">
+<body>
+<script>
+const testFetchClientReferrer =
+  async_test("The fetch() API in an about:blank iframe with the 'client' " +
+             "referrer is fetched with no 'Referer' header");
+const testFetchURLReferrer =
+  async_test("The fetch() API in an about:blank iframe with a custom URL " +
+             "referrer is fetched with a 'Referer` header that uses the " +
+             "outer document's URL along with its referrer policy");
+const testDocumentReferrer =
+  async_test("The value of document.referrer in an about:blank iframe is the " +
+             "outer document's full URL, regardless of referrer policy");
+const testSubresource =
+  async_test("A subresource fetched from an about:blank iframe is fetched " +
+             "with no 'Referer' header");
+
+window.addEventListener("message", msg => {
+  const test_name = msg.data.test;
+  const referrer = msg.data.referrer;
+  if (test_name === "testFetchClientReferrer") {
+    testFetchClientReferrer.step_func_done(() => {
+      // Because the URL of the Document of <iframe src="about:blank"> is
+      // "about:blank", the stripped URL is no referrer:
+      // https://w3c.github.io/webappsec-referrer-policy/#strip-url.
+      assert_equals(referrer, undefined);
+    })();
+  } else if (test_name === "testFetchURLReferrer") {
+    // <iframe src="about:blank"> inherits its parent's referrer policy.
+    // Note: Setting an explicit URL as referrer succeeds
+    // because the same-origin check at
+    // https://fetch.spec.whatwg.org/#dom-request
+    // is done against <iframe>'s origin, which inherits the parent
+    // Document's origin == location.orgin. Furthermore, since the iframe
+    // inherits its parent's referrer policy, the URL should be restricted to
+    // its origin.
+    testFetchURLReferrer.step_func_done(() => {
+      assert_equals(referrer, location.origin + '/');
+    })();
+  } else if (test_name === "testDocumentReferrer") {
+    // The referrer of the initial document in an about:blank iframe is set to
+    // its creating document's URL, unredacted by a referrer policy, as per step
+    // 13 of:
+    // https://html.spec.whatwg.org/multipage/browsers.html#creating-a-new-browsing-context.
+    testDocumentReferrer.step_func_done(() => {
+      assert_equals(referrer, location.href);
+    })();
+  } else if (test_name === "testSubresource") {
+    // Because the URL of the Document of <iframe src="about:blank"> is
+    // "about:blank", the stripped URL is no referrer:
+    // https://w3c.github.io/webappsec-referrer-policy/#strip-url.
+    testSubresource.step_func_done(() => {
+      assert_equals(referrer, "");
+    })();
+  }
+});
+
+const iframe = document.createElement("iframe");
+
+iframe.addEventListener("load", function() {
+  const iframe_script = iframe.contentDocument.createElement('script');
+  iframe_script.textContent = `
+    // Test fetch() API with default "client" referrer.
+    fetch("${location.origin}/common/security-features/subresource/xhr.py?name=testFetchClientReferrer")
+      .then(r => r.json())
+      .then(j => {
+          top.postMessage({test: "testFetchClientReferrer", referrer: j.headers.referer}, "*")
+        }).catch(e => {
+          top.postMessage({test: "testFetchClientReferrer", referrer: "FAILURE"}, "*");
+        });
+
+    // Test fetch() API with custom URL referrer.
+    fetch("${location.origin}/common/security-features/subresource/xhr.py?name=URL",
+        {referrer: "${location.href}/custom"})
+      .then(r => r.json())
+      .then(j => {
+          top.postMessage({test: "testFetchURLReferrer", referrer: j.headers.referer}, "*")
+        }).catch(e => {
+          top.postMessage({test: "testFetchURLReferrer", referrer: "FAILURE"}, "*");
+        });
+
+    // Test document.referrer.
+    top.postMessage({test: "testDocumentReferrer", referrer: document.referrer}, "*");
+
+    // Test a subresource being fetched by the iframe.
+    const subresource_script = document.createElement('script');
+    subresource_script.src = "${location.origin}/common/security-features/subresource/referrer.py";
+    subresource_script.onload = e => {
+      top.postMessage({test: "testSubresource", referrer: window.referrer}, "*");
+    }
+    subresource_script.onerror = function(e) {
+      top.postMessage({test: "testSubresource", referrer: "FAILURE"}, "*");
+    };
+    document.head.appendChild(subresource_script);
+  `;
+  iframe.contentDocument.body.appendChild(iframe_script);
+});
+
+document.body.appendChild(iframe);
+</script>
diff --git a/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-data.html b/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-data.html
new file mode 100644
index 0000000000..1d39781e30
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-data.html
@@ -0,0 +1,27 @@
+<html>
+  <head>
+    <title>Referrer Policy: iframes with data url uses no referrer</title>
+    <link rel="help" href="https://www.w3.org/TR/referrer-policy/#referrer-policy-delivery-nested">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/get-host-info.sub.js"></script>
+    <script src="resources/make-html-script.js"></script>
+    <meta name="referrer" content="origin">
+  </head>
+  <body onload="runTest()">
+    <h1>Referrer Policy: iframes with data url uses no referrer</h1>
+    <script>
+      let test = async_test("iframes with data url uses no referrer");
+      window.addEventListener("message", test.step_func_done(msg => {
+        assert_equals(msg.data.referrer, undefined);
+      }));
+
+      function runTest() {
+        let iframe = document.createElement("iframe");
+        iframe.src = `data:text/html,${createScriptString(get_host_info().REMOTE_ORIGIN)}`;
+        document.body.appendChild(iframe);
+      }
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-document-write.html b/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-document-write.html
new file mode 100644
index 0000000000..c88586aaf6
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-document-write.html
@@ -0,0 +1,34 @@
+<!doctype html>
+<title>Referrer Policy: iframes with document.write()</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="resources/make-html-script.js"></script>
+<meta name="referrer" content="origin">
+<div id="log"></div>
+<script>
+  let reportedReferrer = () => {
+    return new Promise(resolve => {
+      window.addEventListener("message", msg => resolve(msg.data.referrer));
+    });
+  };
+
+  const iframe = document.createElement("iframe");
+  promise_test(async t => {
+    let referrer_of_srcdoc_iframe = reportedReferrer();
+    const script_to_fetch_cross_origin_resource =
+          createScriptString(get_host_info().REMOTE_ORIGIN, location.origin + "/custom");
+    iframe.srcdoc = `<head><meta name="referrer" content="unsafe-url"></head>`
+      + script_to_fetch_cross_origin_resource;
+    document.body.appendChild(iframe);
+    assert_equals(await referrer_of_srcdoc_iframe, self.origin + "/custom",
+                  "Srcdoc iframe setting referrer policy via meta header should use that referrer policy.");
+
+    let referrer_after_document_open = reportedReferrer();
+    iframe.contentDocument.open();
+    iframe.contentDocument.write(script_to_fetch_cross_origin_resource);
+    iframe.contentDocument.close();
+    assert_equals(await referrer_after_document_open, self.origin + "/custom",
+                  "Referrer policy should not change after document.open().");
+  }, "document.open() should not change the referrer policy of the opened document.");
+</script>
diff --git a/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-history-about-blank.html b/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-history-about-blank.html
new file mode 100644
index 0000000000..8d68ffb5ff
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-history-about-blank.html
@@ -0,0 +1,80 @@
+<!doctype html>
+<title>Referrer Policy: navigating back to an about:blank iframe reuses the original referrer policy</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<meta name="referrer" content="no-referrer">
+<div id="log"></div>
+<script>
+  let checkReferrer = document => {
+    let script = document.createElement('script');
+    script.innerText = `
+      fetch("${origin}/common/security-features/subresource/xhr.py",
+            {referrer: "${location.origin}/custom"})
+        .then(r => r.json())
+        .then(j => {
+          top.postMessage({referrer: j.headers.referer}, "*")
+        }).catch(e => {
+          top.postMessage({referrer: "FAILURE"}, "*");
+        });
+    `
+
+    let referrer = new Promise(resolve => {
+      window.addEventListener("message", function listener(msg) {
+        window.removeEventListener("message", listener, false);
+        resolve(msg.data.referrer);
+      });
+    });
+
+    document.body.appendChild(script);
+
+    return referrer;
+  };
+
+  let iframeLoaded = iframe => {
+    return new Promise(resolve => {
+      iframe.onload = resolve;
+    });
+  };
+
+  promise_test(async t => {
+    // 1. Create an iframe and navigate it to about:blank.
+    // (We cannot just create an empty iframe since the initial empty
+    // document will get its history entry replaced, so we cannot
+    // navigate back to it.)
+    const iframe = document.createElement("iframe");
+    iframe.name = 'test_frame';
+    iframe.src = "/referrer-policy";
+    document.body.appendChild(iframe);
+    await iframeLoaded(iframe);
+
+    window.open('about:blank', 'test_frame');
+    await iframeLoaded(iframe);
+    let referrer_1 = await checkReferrer(iframe.contentDocument);
+    assert_equals(referrer_1, undefined,
+                  "First navigation uses correct policy.");
+
+    // 2. Change the referrer policy of the iframe.
+    let meta = iframe.contentDocument.createElement('meta');
+    meta.name = 'referrer';
+    meta.content = "unsafe-url";
+    iframe.contentDocument.head.appendChild(meta);
+
+    let referrer_2 = await checkReferrer(iframe.contentDocument);
+    assert_equals(referrer_2, location.origin + '/custom',
+                  "Referrer policy correctly changed.");
+
+    // 3. Navigate the iframe elsewhere.
+    window.open('/referrer-policy', 'test_frame');
+    await iframeLoaded(iframe);
+
+    // 4. Navigate the iframe back.
+    iframe.contentWindow.history.back();
+    await iframeLoaded(iframe);
+
+    let referrer_3 = await checkReferrer(iframe.contentDocument);
+    assert_equals(referrer_3, undefined,
+                  "History navigation reuses original policy.");
+    document.body.removeChild(iframe);
+  }, "History navigation reuses original policy.");
+
+</script>
diff --git a/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-history-about-srcdoc.html b/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-history-about-srcdoc.html
new file mode 100644
index 0000000000..91ac5fc139
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-history-about-srcdoc.html
@@ -0,0 +1,73 @@
+<!doctype html>
+<title>Referrer Policy: navigating back to an about:srcdoc iframe reuses the original referrer policy</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="resources/make-html-script.js"></script>
+<meta name="referrer" content="no-referrer">
+<div id="log"></div>
+<script>
+  let reportedReferrer = () => {
+    return new Promise(resolve => {
+      window.addEventListener("message", function listener(msg) {
+        window.removeEventListener("message", listener, false);
+        resolve(msg.data.referrer);
+      });
+    });
+  };
+
+  let iframeLoaded = iframe => {
+    return new Promise(resolve => {
+      iframe.onload = resolve;
+    });
+  };
+
+  promise_test(async t => {
+    // 1. Create an about:srcdoc iframe.
+    const iframe = document.createElement("iframe");
+    iframe.name = 'test_frame';
+    let iframe_load_1 = iframeLoaded(iframe);
+    let referrer_1 = reportedReferrer();
+    iframe.srcdoc = createScriptString(get_host_info().REMOTE_ORIGIN,
+                                       location.origin + "/custom");
+    document.body.appendChild(iframe);
+    await iframe_load_1;
+    let referrer_1_result = await referrer_1;
+
+    // 2. Change the referrer policy of the main document.
+    document.getElementsByTagName('meta')[0].content = "unsafe-url";
+
+    // 3. Navigate the iframe elsewhere.
+    let iframe_load_2 = iframeLoaded(iframe);
+    window.open('/referrer-policy', 'test_frame');
+    await iframe_load_2;
+
+    // 4. Navigate the iframe back.
+    let iframe_load_3 = iframeLoaded(iframe);
+    let referrer_2 = reportedReferrer();
+    iframe.contentWindow.history.back();
+    await iframe_load_3;
+
+    // Despite the main document has changed its referrer policy in (2), the
+    // reported referrer for the history navigation to about:srcdoc in (4) must
+    // match with the one originally reported in (1).
+    assert_equals(referrer_1_result, undefined,
+                  "First navigation uses correct policy.");
+    assert_equals(await referrer_2, undefined,
+                  "History navigation reuses original policy.");
+  }, "History navigation reuses original policy.");
+
+  promise_test(async t => {
+    // If we initiate a new about:srcdoc navigation, the new referrer policy
+    // should apply.
+    const new_iframe = document.createElement("iframe");
+    let new_iframe_load = iframeLoaded(new_iframe);
+    let new_iframe_referrer = reportedReferrer();
+    new_iframe.srcdoc = createScriptString(get_host_info().REMOTE_ORIGIN,
+                                           location.origin + "/custom");
+    document.body.appendChild(new_iframe);
+    await new_iframe_load;
+
+    assert_equals(await new_iframe_referrer, self.origin + '/custom');
+  }, "New srcdoc iframe uses new policy.");
+</script>
diff --git a/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-javascript-child.html b/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-javascript-child.html
new file mode 100644
index 0000000000..491f104de4
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-javascript-child.html
@@ -0,0 +1,77 @@
+<!doctype html>
+<title>Referrer Policy: iframes with javascript url reuse referrer policy</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="resources/make-html-script.js"></script>
+<meta name="referrer" content="unsafe-url">
+<div id="log"></div>
+<script>
+[
+  {
+    srcDocPolicy: ``,
+    expected: location.origin + "/custom"
+  },
+  {
+    srcDocPolicy: `<meta name="referrer" content="no-referrer">`,
+    expected: undefined
+  }
+].forEach(({ srcDocPolicy, expected }) => {
+  promise_test(t => {
+    return new Promise(resolve => {
+      window.addEventListener("message", t.step_func(msg => {
+        assert_equals(msg.data.referrer, expected);
+        resolve();
+      }), { once:true });
+
+      const iframe = document.createElement("iframe");
+      t.add_cleanup(() => iframe.remove());
+      iframe.srcdoc = `${srcDocPolicy}<body><h1>Outer iframe</h1></body>`;
+      iframe.onload = t.step_func(() => {
+        iframe.onload = null;
+        const iframeChild =  iframe.contentDocument.createElement("iframe");
+        // We add a custom referrer to the fetch request. Otherwise,
+        // since the frame's URL is "about:blank", the Referer header will
+        // always be empty:
+        // https://w3c.github.io/webappsec-referrer-policy/#strip-url.
+        iframeChild.src = `javascript:'${createScriptString(get_host_info().REMOTE_ORIGIN, location.origin+"/custom")}'`;
+        iframe.contentDocument.body.appendChild(iframeChild);
+      });
+      document.body.appendChild(iframe);
+    });
+  });
+});
+
+[
+  {
+    srcDocPolicy: ``,
+    expected: location.href  // Executing javascript does not change the document url.
+                             // Since the algorithm for computing the referrer in a srcdoc
+                             // iframe defers recursively to the parent, the expected
+                             // referrer should be the full url of the main document.
+  },
+  {
+    srcDocPolicy: `<meta name="referrer" content="no-referrer">`,
+    expected: undefined
+  }
+].forEach(({ srcDocPolicy, expected }) => {
+  promise_test(t => {
+    return new Promise(resolve => {
+      window.addEventListener("message", t.step_func(msg => {
+        assert_equals(msg.data.referrer, expected);
+        resolve();
+      }), { once:true });
+
+      const iframe = document.createElement("iframe");
+      t.add_cleanup(() => iframe.remove());
+      iframe.srcdoc = `${srcDocPolicy}<body><h1>Outer iframe</h1></body>`;
+      iframe.onload = t.step_func(() => {
+        iframe.onload = null;
+        iframe.contentWindow.location = `javascript:'${createScriptString(get_host_info().REMOTE_ORIGIN)}'`;
+      });
+      document.body.appendChild(iframe);
+    });
+  });
+});
+
+</script>
diff --git a/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-javascript.html b/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-javascript.html
new file mode 100644
index 0000000000..cf1f099c63
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-javascript.html
@@ -0,0 +1,45 @@
+<!doctype html>
+<title>Referrer Policy: iframes with javascript url reuse referrer policy</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="resources/make-html-script.js"></script>
+<meta name="referrer" content="unsafe-url">
+<div id="log"></div>
+<script>
+
+[
+  {
+    fetchReferrer: "",
+    // Because the URL of the Document of <iframe src="javascript:..."> is
+    // "about:blank", the stripped URL is no referrer:
+    // https://w3c.github.io/webappsec-referrer-policy/#strip-url.
+    expected: undefined
+  },
+  {
+    fetchReferrer: location.origin+"/custom",
+    // <iframe src="javascript:..."> inherits its parent's referrer policy.
+    // Note: Setting an explicit URL as referrer succeeds
+    // because the same-origin check at
+    // https://fetch.spec.whatwg.org/#dom-request
+    // is done against <iframe>'s origin, which inherits the parent
+    // Document's origin == location.orgin. Furthermore, since the iframe
+    // inherits its parent's referrer policy, the URL should be restricted to
+    // its origin.
+    expected: self.origin + "/custom"
+  }
+].forEach(({ fetchReferrer, expected }) => {
+  promise_test(t => {
+    return new Promise(resolve => {
+      window.addEventListener("message", t.step_func(msg => {
+        assert_equals(msg.data.referrer, expected);
+        resolve();
+      }), { once: true });
+      const iframe = document.createElement("iframe");
+      iframe.src = `javascript:'${createScriptString(get_host_info().REMOTE_ORIGIN, fetchReferrer)}'`;
+      document.body.appendChild(iframe);
+    });
+  });
+});
+
+</script>
diff --git a/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-srcdoc-child.html b/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-srcdoc-child.html
new file mode 100644
index 0000000000..cd4b4ae724
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-srcdoc-child.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Referrer Policy: iframes srdoc child correctly inherit the ancestor's referrer policy</title>
+    <link rel="help" href="https://www.w3.org/TR/referrer-policy/#referrer-policy-delivery-nested">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/get-host-info.sub.js"></script>
+    <script src="resources/make-html-script.js"></script>
+    <meta name="referrer" content="origin">
+  </head>
+  <body onload="runTest()">
+    <h1>Referrer Policy: iframes srcdoc child correctly inherit the ancestor's referrer policy</h1>
+    <script>
+      var test = async_test("iframes srcdoc child correctly inherit the ancestor's referrer policy");
+      window.addEventListener("message", test.step_func_done(msg => {
+        assert_equals(msg.data.referrer, self.origin + "/");
+      }));
+
+      function runTest() {
+        var iframe = document.createElement("iframe");
+        iframe.srcdoc = `<body><h1>Outer iframe</h1></body>`;
+        iframe.onload = test.step_func(() => {
+          iframe.onload = null;
+          var iframeChild =  iframe.contentDocument.createElement("iframe");
+          iframeChild.srcdoc = createScriptString(get_host_info().REMOTE_ORIGIN);
+          iframe.contentDocument.body.appendChild(iframeChild);
+        });
+        document.body.appendChild(iframe);
+      }
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-srcdoc.html b/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-srcdoc.html
new file mode 100644
index 0000000000..6904374b63
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/inheritance/iframe-inheritance-srcdoc.html
@@ -0,0 +1,45 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Referrer Policy: iframes srdoc correctly inherit the ancestor's referrer policy</title>
+    <link rel="help" href="https://www.w3.org/TR/referrer-policy/#referrer-policy-delivery-nested">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/get-host-info.sub.js"></script>
+    <script src="resources/make-html-script.js"></script>
+    <meta name="referrer" content="origin">
+  </head>
+  <body>
+    <h1>Referrer Policy: iframes srcdoc correctly inherit the ancestor's referrer policy</h1>
+    <script>
+      let reportedReferrer = () => {
+        return new Promise(resolve => {
+          window.addEventListener("message", msg => resolve(msg.data.referrer));
+        });
+      };
+
+      const iframe = document.createElement("iframe");
+
+      promise_test(async t => {
+        let referrer = reportedReferrer();
+        iframe.srcdoc = createScriptString(get_host_info().REMOTE_ORIGIN,
+                                           location.origin + "/custom");
+        document.body.appendChild(iframe);
+        assert_equals(await referrer, self.origin + "/",
+                      "Referrer policy should be inherited from parent.");
+
+        let meta = document.createElement('meta');
+        meta.name = "referrer";
+        meta.content = "unsafe-url";
+        document.head.appendChild(meta);
+        iframe.contentWindow.postMessage('checkReferrer');
+        assert_equals(
+          await reportedReferrer(), self.origin + "/",
+          "Changing parent's referrer policy has no effect on the child.");
+
+      }, "Srcdoc iframe inherits referrer policy from parent on creation.");
+
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/referrer-policy/generic/inheritance/popup-inheritance-about-blank.html b/testing/web-platform/tests/referrer-policy/generic/inheritance/popup-inheritance-about-blank.html
new file mode 100644
index 0000000000..c8e9a9c012
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/inheritance/popup-inheritance-about-blank.html
@@ -0,0 +1,105 @@
+<!doctype html>
+<meta charset="utf-8">
+<title>Referrer Policy: popup src="about:blank"</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<meta name="referrer" content="origin">
+<body>
+<script>
+const testFetchClientReferrer =
+  async_test("The fetch() API in an about:blank popup with the 'client' " +
+             "referrer is fetched with no 'Referer' header");
+const testFetchURLReferrer =
+  async_test("The fetch() API in an about:blank popup with a custom URL " +
+             "referrer is fetched with a 'Referer` header that uses the " +
+             "outer document's URL along with its referrer policy");
+const testDocumentReferrer =
+  async_test("The value of document.referrer in an about:blank popup is the " +
+             "outer document's full URL, regardless of referrer policy");
+const testSubresource =
+  async_test("A subresource fetched from an about:blank popup is fetched " +
+             "with no 'Referer' header");
+
+window.addEventListener("message", msg => {
+  const test_name = msg.data.test;
+  const referrer = msg.data.referrer;
+  if (test_name === "testFetchClientReferrer") {
+    // Because the URL of the document of the popup opened through
+    // `window.open()` is "about:blank", the stripped URL is no referrer:
+    // https://w3c.github.io/webappsec-referrer-policy/#strip-url.
+    testFetchClientReferrer.step_func_done(() => {
+      assert_equals(referrer, undefined);
+    })();
+  } else if (test_name === "testFetchURLReferrer") {
+    // The "about:blank" popup inherits its opener's referrer policy.
+    // Note: Setting an explicit URL as referrer is allowed per spec because the
+    // same-origin check at https://fetch.spec.whatwg.org/#dom-request is done
+    // against the popup's origin, which inherits the opener document's origin.
+    testFetchURLReferrer.step_func_done(() => {
+      assert_equals(referrer, location.origin + '/');
+    })();
+  } else if (test_name === "testDocumentReferrer") {
+    // The referrer of the initial document in an about:blank popup is set to
+    // its creating document's URL, unredacted by a referrer policy, as per step
+    // 17 of:
+    // https://html.spec.whatwg.org/multipage/browsers.html#creating-a-new-browsing-context.
+    testDocumentReferrer.step_func_done(() => {
+      assert_equals(referrer, location.href);
+    })();
+  } else if (test_name === "testSubresource") {
+    // Because the URL of the document of the popup is "about:blank", the
+    // stripped URL is no referrer:
+    // https://w3c.github.io/webappsec-referrer-policy/#strip-url.
+    //
+    // Note: this test is essentially the same as "testFetchClientReferrer" (the
+    // only difference is that the fetch is not initiated by javascript).
+    // Compared to the other test, we expect the empty string here instead of
+    // `undefined` just because of a testing quirk.
+    testSubresource.step_func_done(() => {
+      assert_equals(referrer, "");
+    })();
+  }
+});
+
+const popup = window.open();
+const script = popup.document.createElement('script');
+
+script.textContent = `
+  // Test fetch() API with default "client" referrer.
+  fetch("${location.origin}/common/security-features/subresource/xhr.py?name=testFetchClientReferrer")
+    .then(r => r.json())
+    .then(j => {
+        opener.postMessage({test: "testFetchClientReferrer", referrer: j.headers.referer}, "*")
+      }).catch(e => {
+        opener.postMessage({test: "testFetchClientReferrer", referrer: "FAILURE"}, "*");
+      });
+
+  // Test fetch() API with custom URL referrer.
+  fetch("${location.origin}/common/security-features/subresource/xhr.py?name=URL",
+      {referrer: "${location.href}/custom"})
+    .then(r => r.json())
+    .then(j => {
+        opener.postMessage({test: "testFetchURLReferrer", referrer: j.headers.referer}, "*")
+      }).catch(e => {
+        opener.postMessage({test: "testFetchURLReferrer", referrer: "FAILURE"}, "*");
+      });
+
+  // Test document.referrer.
+  opener.postMessage({test: "testDocumentReferrer", referrer: document.referrer}, "*");
+
+  // Test a subresource being fetched by the popup.
+  // This is practicallty the same as the first test: the only difference is
+  // that here the fetch is not triggered by a javascript fetch function but by
+  // a script element with a src tag embedded in the html source.
+  const subresource_script = document.createElement('script');
+  subresource_script.src = "${location.origin}/common/security-features/subresource/referrer.py";
+  subresource_script.onload = e => {
+    opener.postMessage({test: "testSubresource", referrer: window.referrer}, "*");
+  }
+  subresource_script.onerror = function(e) {
+    opener.postMessage({test: "testSubresource", referrer: "FAILURE"}, "*");
+  };
+  document.head.appendChild(subresource_script);
+`;
+popup.document.body.appendChild(script);
+</script>
diff --git a/testing/web-platform/tests/referrer-policy/generic/inheritance/popup-inheritance-form-submission.html b/testing/web-platform/tests/referrer-policy/generic/inheritance/popup-inheritance-form-submission.html
new file mode 100644
index 0000000000..2c03792a07
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/inheritance/popup-inheritance-form-submission.html
@@ -0,0 +1,30 @@
+<!doctype html>
+<meta charset="utf-8">
+<title>Referrer Policy: popup src="about:blank"</title>
+<link rel="help" href="https://bugs.chromium.org/p/chromium/issues/detail?id=1370425">
+<link rel="help" href="https://html.spec.whatwg.org/#creating-a-new-browsing-context">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+
+<iframe src="resources/submit-form-and-remove-frame.html"></iframe>
+<script>
+async_test(t => {
+  // Called by the child frame once it has submitted its form that creates a new
+  // `about:blank` window in our browsing context group (therefore, the window
+  // is reachable by us).
+  window.removeIframe = t.step_func(() => {
+    const iframe = document.querySelector('iframe');
+    const expected_referrer = iframe.contentWindow.location.href;
+    iframe.remove();
+
+    // The child frame is removed, but its form submission navigation is still
+    // queued on the opened window's global. Wait until it is run and then
+    // evaluate script.
+    t.step_timeout(t.step_func_done(() => {
+      const window_opened_from_form = window.open("", "does-not-exist");
+      assert_equals(document.referrer, expected_referrer);
+    }));
+  });
+}, "A new frame's document.referrer is correct even if its initiator frame is gone");
+</script>
diff --git a/testing/web-platform/tests/referrer-policy/generic/inheritance/resources/make-html-script.js b/testing/web-platform/tests/referrer-policy/generic/inheritance/resources/make-html-script.js
new file mode 100644
index 0000000000..6c2c145c4e
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/inheritance/resources/make-html-script.js
@@ -0,0 +1,19 @@
+function createScriptString(origin, referrer) {
+  let request_init = referrer ? `{referrer: "${referrer}"}` : "";
+  return `<script>
+            function checkReferrer() {
+              fetch("${origin}/common/security-features/subresource/xhr.py",
+                    ${request_init})
+                .then(r => r.json())
+                .then(j => {
+                  top.postMessage({referrer: j.headers.referer}, "*")
+                }).catch(e => {
+                  top.postMessage({referrer: "FAILURE"}, "*");
+                });
+            }
+            checkReferrer();
+            window.addEventListener("message", msg => {
+              if (msg.data === "checkReferrer") checkReferrer();
+            });
+          <\/script>`;
+}
diff --git a/testing/web-platform/tests/referrer-policy/generic/inheritance/resources/submit-form-and-remove-frame.html b/testing/web-platform/tests/referrer-policy/generic/inheritance/resources/submit-form-and-remove-frame.html
new file mode 100644
index 0000000000..bf5ede96d9
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/inheritance/resources/submit-form-and-remove-frame.html
@@ -0,0 +1,10 @@
+<!doctype html>
+<meta name='referrer' content='no-referrer'>
+<body onload='start()'>
+<script>
+  function start() {
+    myform.submit();
+    parent.removeIframe();
+  }
+</script>
+<form id='myform' action='about:blank' target='does-not-exist'>
diff --git a/testing/web-platform/tests/referrer-policy/generic/inheritance/workers.html b/testing/web-platform/tests/referrer-policy/generic/inheritance/workers.html
new file mode 100644
index 0000000000..0bd75a1d15
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/inheritance/workers.html
@@ -0,0 +1,47 @@
+<html>
+  <head>
+    <title>Referrer Policy: local scheme workers inherit from creator</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/common/get-host-info.sub.js"></script>
+    <meta name="referrer" content="no-referrer">
+  </head>
+  <script>
+    let cross_origin = get_host_info().REMOTE_ORIGIN;
+
+    let generateFetchString = postmessage => `
+      fetch("${cross_origin}/common/security-features/subresource/xhr.py",
+            {referrer: "${location.href}/custom"})
+          .then(r => r.json())
+          .then(j => ${postmessage}({referrer: j.headers.referer}))
+          .catch(e => ${postmessage}({referrer: "FAILURE"}));`
+
+    async_test(t => {
+      let blob = new Blob([generateFetchString("postMessage")],
+                          {type : 'application/javascript'});
+      let blob_url = URL.createObjectURL(blob);
+      let worker = new Worker(blob_url);
+      worker.onmessage = t.step_func_done(msg => {
+        assert_equals(msg.data.referrer, undefined);
+      });
+    }, "Dedicated worker with local scheme inherits referrer policy " +
+               "from the creating document.");
+
+    async_test(t => {
+      let script = `
+        onconnect = e => {
+          let port = e.ports[0];
+          port.start();
+          ${generateFetchString("port.postMessage")}
+        };`
+      let blob = new Blob([script], {type : 'application/javascript'});
+      let blob_url = URL.createObjectURL(blob);
+      let shared_worker = new SharedWorker(blob_url);
+      shared_worker.port.start();
+      shared_worker.port.onmessage = t.step_func_done(msg => {
+        assert_equals(msg.data.referrer, undefined);
+      });
+    }, "Shared worker with local scheme inherits referrer policy " +
+               "from the creating document.");
+  </script>
+</html>
diff --git a/testing/web-platform/tests/referrer-policy/generic/link-rel-prefetch.html b/testing/web-platform/tests/referrer-policy/generic/link-rel-prefetch.html
new file mode 100644
index 0000000000..72e831c921
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/link-rel-prefetch.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Referrer policies for resources loaded via link rel prefetch</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <!-- Common global functions for referrer-policy tests. -->
+    <script src="/common/security-features/resources/common.sub.js"></script>
+    <meta name="referrer" content="origin">
+    <link rel="prefetch" href="/common/security-features/subresource/image.py">
+  </head>
+  <body>
+    <p>Check that resources loaded via link rel prefetch use the referrer
+    and referrer policy from the document.</p>
+
+    <script>
+      var img_url = "/common/security-features/subresource/image.py";
+      promise_test((t) => timeoutPromise(t, 1000)
+        .then(() => requestViaImage(img_url, null))
+        .then(message => {
+            assert_equals(message.headers.referer, document.location.origin + "/");
+          }),
+        "Prefetched image.");
+    </script>
+
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/referrer-policy/generic/meta-referrer-outofhead-fetch.http.html b/testing/web-platform/tests/referrer-policy/generic/meta-referrer-outofhead-fetch.http.html
new file mode 100644
index 0000000000..1b7a7bada5
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/meta-referrer-outofhead-fetch.http.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+  </head>
+  <body>
+    <meta name="referrer" content="no-referrer">
+    <script>
+      promise_test((t) =>
+        fetch("/common/security-features/subresource/xhr.py")
+          .then(res => res.json())
+          .then(data => {
+            assert_equals(data.headers.referer, undefined);
+          }),
+        "Referer header was not send");
+    </script>
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/referrer-policy/generic/meta-referrer-removed-1.http.html b/testing/web-platform/tests/referrer-policy/generic/meta-referrer-removed-1.http.html
new file mode 100644
index 0000000000..7027788504
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/meta-referrer-removed-1.http.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+
+  <meta name="referrer" content="no-referrer" id="referrermeta">
+</head>
+<body>
+  <script>
+    async function fetchAndGetReferrer() {
+      let response = await fetch('/common/security-features/subresource/xhr.py');
+      let data = await response.json();
+      return data.headers.referer;
+    }
+
+    promise_test(async t => {
+      assert_equals(await fetchAndGetReferrer(), undefined,
+                    'referrer should not be set');
+
+      document.getElementById('referrermeta').remove();
+      assert_equals(await fetchAndGetReferrer(), undefined,
+                    'referrer should not be set');
+    }, 'removing <meta name="referrer"> should not change referrer policy');
+  </script>
+</body>
diff --git a/testing/web-platform/tests/referrer-policy/generic/meta-referrer-removed-2.http.html b/testing/web-platform/tests/referrer-policy/generic/meta-referrer-removed-2.http.html
new file mode 100644
index 0000000000..42f73e8781
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/meta-referrer-removed-2.http.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+
+  <meta name="referrer" content="no-referrer" id="referrermeta">
+</head>
+<body>
+  <script>
+    async function fetchAndGetReferrer() {
+      let response = await fetch('/common/security-features/subresource/xhr.py');
+      let data = await response.json();
+      return data.headers.referer;
+    }
+
+    promise_test(async t => {
+      assert_equals(await fetchAndGetReferrer(), undefined,
+                    'referrer should not be set');
+
+      // Add second meta tag.
+      const second_meta = document.createElement('meta');
+      second_meta.name = 'referrer';
+      second_meta.content = 'strict-origin';
+      document.head.appendChild(second_meta);
+      // Second meta should override the first.
+      assert_equals(await fetchAndGetReferrer(), location.origin + '/',
+                    'referrer should be origin only');
+
+      second_meta.remove();
+      assert_equals(await fetchAndGetReferrer(), window.location.origin + '/',
+                    'referrer should be origin only');
+    }, 'referrer policy does not change when second <meta name="referrer"> is removed');
+  </script>
+</body>
diff --git a/testing/web-platform/tests/referrer-policy/generic/meta-tag-in-svg-image.html b/testing/web-platform/tests/referrer-policy/generic/meta-tag-in-svg-image.html
new file mode 100644
index 0000000000..5bdc2c1abf
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/meta-tag-in-svg-image.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Referrer Policy: Meta tag in svg image loaded via img should not change referrer policy</title>
+    <meta name="referrer" content="origin"/>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <!-- Common global functions for referrer-policy tests. -->
+    <script src="/common/security-features/resources/common.sub.js"></script>
+  </head>
+  <body>
+    <script>
+      async_test(function(t) {
+        var img = document.createElement("img");
+        img.onload = function() {
+          var urlPath = '/common/security-features/subresource/image.py?cache_destroyer=' + (new Date()).getTime();
+          return requestViaImage(urlPath, null, 'always')
+            .then(t.step_func(function(message) {
+              assert_equals(message.referrer, self.origin + '/');
+            }))
+            .finally(function() { t.done(); });
+        };
+        img.onerror = t.step_func_done(function() {
+          assert_unreached("img should load");
+        });
+        img.src = "./resources/img-with-referrer-policy.svg";
+        document.body.appendChild(img);
+      }, "Meta tag in SVG image loaded via img should be ignored");
+    </script>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/referrer-policy/generic/multiple-headers-and-values.html b/testing/web-platform/tests/referrer-policy/generic/multiple-headers-and-values.html
new file mode 100644
index 0000000000..e6b7b07d51
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/multiple-headers-and-values.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Referrer Policy: multiple Referrer-Policy header and header values are allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+
+    <script src="/common/security-features/resources/common.sub.js"></script>
+  </head>
+  <body>
+    <h1>Referrer Policy: multiple Referrer-Policy header and header values are allowed</h1>
+    <p></p>
+
+    <pre id="received_message">Running...</pre>
+
+    <script>
+      promise_test(() => {
+        var urlPath = '/common/security-features/subresource/image.py?cache_destroyer=' + (new Date()).getTime();
+        var url = location.protocol + "//www1." + location.hostname + ":" + location.port +
+                  urlPath;
+        return requestViaImage(url, null, 'no-referrer')
+          .then(function(message) {
+              assert_equals(message.referrer, document.location.origin + "/");
+            });
+      }, "Image uses the last recognized Referrer-Policy header value");
+    </script>
+
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/referrer-policy/generic/multiple-headers-and-values.html.headers b/testing/web-platform/tests/referrer-policy/generic/multiple-headers-and-values.html.headers
new file mode 100644
index 0000000000..d1acc2f1d3
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/multiple-headers-and-values.html.headers
@@ -0,0 +1,2 @@
+Referrer-Policy: no-referrer
+Referrer-Policy: no-referrer,origin
diff --git a/testing/web-platform/tests/referrer-policy/generic/multiple-headers-combined.html b/testing/web-platform/tests/referrer-policy/generic/multiple-headers-combined.html
new file mode 100644
index 0000000000..b5c27515df
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/multiple-headers-combined.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Referrer Policy: multiple Referrer-Policy header values are allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+
+    <script src="/common/security-features/resources/common.sub.js"></script>
+  </head>
+  <body>
+    <h1>Referrer Policy: multiple Referrer-Policy header values are allowed</h1>
+    <p></p>
+
+    <pre id="received_message">Running...</pre>
+
+    <script>
+      promise_test(() => {
+        var urlPath = '/common/security-features/subresource/image.py?cache_destroyer=' + (new Date()).getTime();
+        var url = location.protocol + "//www1." + location.hostname + ":" + location.port +
+                  urlPath;
+        return requestViaImage(url, null, 'no-referrer')
+          .then(function(message) {
+              assert_equals(message.referrer, document.location.origin + "/");
+            });
+      }, "Image uses the last recognized Referrer-Policy header value");
+    </script>
+
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/referrer-policy/generic/multiple-headers-combined.html.headers b/testing/web-platform/tests/referrer-policy/generic/multiple-headers-combined.html.headers
new file mode 100644
index 0000000000..fc30a2a186
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/multiple-headers-combined.html.headers
@@ -0,0 +1 @@
+Referrer-Policy: no-referrer, origin
diff --git a/testing/web-platform/tests/referrer-policy/generic/multiple-headers-one-invalid.html b/testing/web-platform/tests/referrer-policy/generic/multiple-headers-one-invalid.html
new file mode 100644
index 0000000000..eca734601a
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/multiple-headers-one-invalid.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Referrer Policy: multiple Referrer-Policy headers with one invalid</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+
+    <script src="/common/security-features/resources/common.sub.js"></script>
+  </head>
+  <body>
+    <h1>Referrer Policy: multiple Referrer-Policy headers with one invalid</h1>
+    <p></p>
+
+    <pre id="received_message">Running...</pre>
+
+    <script>
+      promise_test(() => {
+        var urlPath = '/common/security-features/subresource/image.py?cache_destroyer=' + (new Date()).getTime();
+        // The default referrer policy is strict-origin-when-cross-origin.
+        // This document's headers contain the 'origin' and 'no-referrer' tokens,
+        // and we're making a same-origin image load, so, if the image request,
+        // uses the default policy (which is what this test's verifying), we
+        // should see the full initiating URL in the referrer, rather than just
+        // the origin or an empty string.
+        return requestViaImage(urlPath, null, 'no-referrer')
+          .then(function(message) {
+              assert_equals(message.referrer, document.location.href);
+            });
+      }, "Referrer policy header parsing fails if one header is invalid");
+    </script>
+
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/referrer-policy/generic/multiple-headers-one-invalid.html.headers b/testing/web-platform/tests/referrer-policy/generic/multiple-headers-one-invalid.html.headers
new file mode 100644
index 0000000000..0752193804
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/multiple-headers-one-invalid.html.headers
@@ -0,0 +1,2 @@
+Referrer-Policy: origin
+Referrer-Policy: origin no-referrer
diff --git a/testing/web-platform/tests/referrer-policy/generic/multiple-headers-one-unknown-token.html b/testing/web-platform/tests/referrer-policy/generic/multiple-headers-one-unknown-token.html
new file mode 100644
index 0000000000..f07500e546
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/multiple-headers-one-unknown-token.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Referrer Policy: multiple Referrer-Policy headers with one invalid</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+
+    <script src="/common/security-features/resources/common.sub.js"></script>
+  </head>
+  <body>
+    <h1>Referrer Policy: multiple Referrer-Policy headers with one invalid</h1>
+    <p></p>
+
+    <pre id="received_message">Running...</pre>
+
+    <script>
+      promise_test(() => {
+        var urlPath = '/common/security-features/subresource/image.py?cache_destroyer=' + (new Date()).getTime();
+        var url = location.protocol + "//www1." + location.hostname + ":" + location.port +
+                  urlPath;
+        return requestViaImage(url, null, 'no-referrer')
+          .then(function(message) {
+              assert_equals(message.referrer, document.location.origin + "/");
+            });
+      }, "Image uses last recognized referrer policy token from Referrer-Policy headers");
+    </script>
+
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/referrer-policy/generic/multiple-headers-one-unknown-token.html.headers b/testing/web-platform/tests/referrer-policy/generic/multiple-headers-one-unknown-token.html.headers
new file mode 100644
index 0000000000..46feffd705
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/multiple-headers-one-unknown-token.html.headers
@@ -0,0 +1,2 @@
+Referrer-Policy: no-referrer
+Referrer-Policy: origin,not-a-valid-token
diff --git a/testing/web-platform/tests/referrer-policy/generic/multiple-headers.html b/testing/web-platform/tests/referrer-policy/generic/multiple-headers.html
new file mode 100644
index 0000000000..d6c3a90ccb
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/multiple-headers.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Referrer Policy: multiple Referrer-Policy headers are allowed</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+
+    <script src="/common/security-features/resources/common.sub.js"></script>
+  </head>
+  <body>
+    <h1>Referrer Policy: multiple Referrer-Policy headers are allowed</h1>
+    <p></p>
+
+    <pre id="received_message">Running...</pre>
+
+    <script>
+      promise_test(() => {
+        var urlPath = '/common/security-features/subresource/image.py?cache_destroyer=' + (new Date()).getTime();
+        var url = location.protocol + "//www1." + location.hostname + ":" + location.port +
+                  urlPath;
+        return requestViaImage(url, null, 'no-referrer')
+          .then(function(message) {
+              assert_equals(message.referrer, document.location.origin + "/");
+            });
+      }, "Image uses the last recognized Referrer-Policy header");
+    </script>
+
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/referrer-policy/generic/multiple-headers.html.headers b/testing/web-platform/tests/referrer-policy/generic/multiple-headers.html.headers
new file mode 100644
index 0000000000..dd1dd853f2
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/multiple-headers.html.headers
@@ -0,0 +1,2 @@
+Referrer-Policy: no-referrer
+Referrer-Policy: origin
diff --git a/testing/web-platform/tests/referrer-policy/generic/resources/img-with-referrer-policy.svg b/testing/web-platform/tests/referrer-policy/generic/resources/img-with-referrer-policy.svg
new file mode 100644
index 0000000000..d54232d7bb
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/resources/img-with-referrer-policy.svg
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg width="100%" height="100%" version="1.1"
+xmlns="http://www.w3.org/2000/svg">
+  <meta xmlns="http://www.w3.org/1999/xhtml" name="referrer" content="unsafe-url"/>
+  <circle cx="10" cy="10" r="10" stroke="black" stroke-width="1" fill="red" />
+</svg>
\ No newline at end of file
diff --git a/testing/web-platform/tests/referrer-policy/generic/resources/referrer.py b/testing/web-platform/tests/referrer-policy/generic/resources/referrer.py
new file mode 100644
index 0000000000..2d15dc09c4
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/resources/referrer.py
@@ -0,0 +1,10 @@
+def main(request, response):
+    response_headers = [(b"Access-Control-Allow-Origin", b"*")]
+    body = b"""
+    <p id=referrer>%s</p>
+    <script>
+      const referrer_text = referrer.textContent;
+      window.parent.postMessage(referrer_text, "*");
+    </script>
+    """ % request.headers.get(b"referer", b"")
+    return (200, response_headers, body)
diff --git a/testing/web-platform/tests/referrer-policy/generic/sandboxed-iframe-with-opaque-origin.html b/testing/web-platform/tests/referrer-policy/generic/sandboxed-iframe-with-opaque-origin.html
new file mode 100644
index 0000000000..fd1857e0dd
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/sandboxed-iframe-with-opaque-origin.html
@@ -0,0 +1,93 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Referrer Policy: Sandboxed iframes with opaque origins don't send referrers</title>
+  <link rel="author" title="Jochen Eisinger" href="mailto:jochen@chromium.org">
+  <link rel="author" title="Arthur Sonzogni" href="mailto:arthursonzogni@chromium.org">
+  <link rel="help" href="https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer">
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <!-- Common global functions for referrer-policy tests. -->
+  <script src="/common/security-features/resources/common.sub.js"></script>
+  <script src="/common/get-host-info.sub.js"></script>
+</head>
+<body>
+<h1>
+  Referrer Policy: A document with an opaque origin doesn't send referrers
+</h1>
+<script>
+
+let futureMessage = function() {
+  return new Promise(resolve => {
+    window.addEventListener("message", event => resolve(event.data));
+  });
+}
+
+function testSandboxedIframeSubresource(description,
+                                        sandboxAttributes,
+                                        expectedReferrer) {
+  promise_test(async test => {
+    let resource_url = get_host_info().HTTP_NOTSAMESITE_ORIGIN +
+      "/common/security-features/subresource/xhr.py";
+    const iframe = document.createElement("iframe");
+    iframe.sandbox = sandboxAttributes;
+    iframe.srcdoc = `
+      <meta name="referrer" content="always">
+      <script src="/common/security-features/resources/common.sub.js">
+      </scr`+`ipt>
+      <script>
+        requestViaFetch("${resource_url}").then((msg) => {
+          parent.postMessage(msg.referrer, '*');
+        }).catch((e) => {
+          parent.postMessage("FAILURE", '*');
+        });
+      </scr`+`ipt>
+    `;
+
+    const future_message = futureMessage();
+    document.body.appendChild(iframe);
+    assert_equals(await future_message, expectedReferrer);
+
+  }, description);
+}
+
+function testSandboxedIframeMainResource(description,
+                                         sandboxAttributes,
+                                         expectedReferrer) {
+  promise_test(async test => {
+    let document_url = get_host_info().HTTP_NOTSAMESITE_ORIGIN +
+      "/referrer-policy/generic/resources/referrer.py";
+    const iframe = document.createElement("iframe");
+    iframe.sandbox = sandboxAttributes;
+    iframe.srcdoc = `
+      <meta name="referrer" content="always">
+      <script>
+        onload = () => {
+          location.href = "${document_url}";
+        }
+      </scr`+`ipt>
+    `;
+
+    const future_message = futureMessage();
+    document.body.appendChild(iframe);
+    assert_equals(await future_message, expectedReferrer);
+
+  }, description);
+}
+
+testSandboxedIframeSubresource(
+  "Sandboxed iframe with opaque origin doesn't send referrers to subresources",
+  "allow-scripts", undefined);
+testSandboxedIframeSubresource(
+  "Sandboxed iframe with tuple origin sends referrers to subresources",
+  "allow-same-origin allow-scripts", document.location.href);
+testSandboxedIframeMainResource(
+  "Sandboxed iframe with opaque origin doesn't send referrers on navigation",
+  "allow-scripts", "");
+testSandboxedIframeMainResource(
+  "Sandboxed iframe with tuple origin sends referrers on navigation",
+  "allow-same-origin allow-scripts", document.location.href);
+
+</script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/referrer-policy/generic/sanity-checker.js b/testing/web-platform/tests/referrer-policy/generic/sanity-checker.js
new file mode 100644
index 0000000000..e296ce93b9
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/sanity-checker.js
@@ -0,0 +1,46 @@
+// The SanityChecker is used in debug mode to identify problems with the
+// structure of the testsuite. In release mode it is mocked out to do nothing.
+
+function SanityChecker()  {}
+
+SanityChecker.prototype.checkScenario = function(scenario) {
+  // Check if scenario is valid.
+  // TODO(kristijanburnik): Move to a sanity-checks.js for debug mode only.
+  test(function() {
+
+    // We extend the exsiting test_expansion_schema not to kill performance by
+    // copying.
+    var expectedFields = SPEC_JSON["test_expansion_schema"];
+    expectedFields["referrer_policy"] = SPEC_JSON["referrer_policy_schema"];
+
+    for (var field in expectedFields) {
+      assert_own_property(scenario, field,
+                          "The scenario contains field " + field)
+      assert_in_array(scenario[field], expectedFields[field],
+                      "Scenario's " + field + " is one of: " +
+                      expectedFields[field].join(", ")) + "."
+    }
+
+    // Check if the protocol is matched.
+    assert_equals(scenario["source_protocol"] + ":", location.protocol,
+                  "Protocol of the test page should match the scenario.")
+
+  }, "[ReferrerPolicyTestCase] The test scenario is valid.");
+}
+
+SanityChecker.prototype.checkSubresourceResult = function(scenario,
+                                                          subresourceUrl,
+                                                          result) {
+  assert_equals(Object.keys(result).length, 3);
+  assert_own_property(result, "location");
+  assert_own_property(result, "referrer");
+  assert_own_property(result, "headers");
+
+  // Skip location check for scripts.
+  if (scenario.subresource == "script-tag")
+    return;
+
+  // Sanity check: location of sub-resource matches reported location.
+  assert_equals(result.location, subresourceUrl,
+                "Subresource reported location.");
+};
diff --git a/testing/web-platform/tests/referrer-policy/generic/second-meta-referrer-added-before-first.http.html b/testing/web-platform/tests/referrer-policy/generic/second-meta-referrer-added-before-first.http.html
new file mode 100644
index 0000000000..38fab901fb
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/second-meta-referrer-added-before-first.http.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+
+  <meta name="referrer" content="no-referrer" id="referrermeta">
+</head>
+<body>
+  <script>
+    async function fetchAndGetReferrer() {
+      let response = await fetch('/common/security-features/subresource/xhr.py');
+      let data = await response.json();
+      return data.headers.referer;
+    }
+
+    promise_test(async t => {
+      assert_equals(await fetchAndGetReferrer(), undefined,
+                    'referrer should not be set');
+
+      // Add second meta _before_ first meta.
+      const first_meta = document.getElementById('referrermeta');
+      const second_meta = document.createElement('meta');
+      second_meta.name = 'referrer';
+      second_meta.content = 'strict-origin';
+      document.head.insertBefore(second_meta, first_meta);
+      assert_equals(await fetchAndGetReferrer(), window.location.origin + '/',
+                    'referrer should the origin only');
+    }, 'document referrer policy is the value of the most recently added <meta name="referrer">');
+
+  </script>
+</body>
diff --git a/testing/web-platform/tests/referrer-policy/generic/subresource-test/area-navigate.html b/testing/web-platform/tests/referrer-policy/generic/subresource-test/area-navigate.html
new file mode 100644
index 0000000000..2a4f29654d
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/subresource-test/area-navigate.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<!-- TODO(kristijanburnik): Remove subres. duplication. Reuse a template. -->
+<html>
+  <head>
+    <title>Area Link messaging - cross-origin Area Link navigation</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <!-- Common global functions for referrer-policy tests. -->
+    <script src="/common/security-features/resources/common.sub.js"></script>
+  </head>
+  <body>
+    <h1>Area Link messaging - cross-origin Area Link navigation</h1>
+    <p>If you can read JSON encoded HTTP request headers of the Area link below,
+       the messaging works as expected.</p>
+
+    <pre id="received_message">Running...</pre>
+
+    <script>
+      promise_test(function() {
+          var urlPath = '/common/security-features/subresource/document.py';
+          var url = location.protocol + "//www1." + location.hostname + ":" + location.port +
+                    urlPath;
+          return requestViaArea(url)
+            .then(function(message) {
+              var pre = document.getElementById('received_message')
+              var headers = message.headers;
+              pre.innerHTML = "";
+              pre.innerHTML += url + ":\n\n";
+              pre.innerHTML += JSON.stringify(headers, null, 2) + "\n\n"
+              assert_own_property(headers, "host")
+              assert_own_property(headers, "connection")
+            });
+        },
+        "Area is responding with HTTP headers");
+    </script>
+
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/referrer-policy/generic/subresource-test/attr-referrer-invalid-value.html b/testing/web-platform/tests/referrer-policy/generic/subresource-test/attr-referrer-invalid-value.html
new file mode 100644
index 0000000000..bfdf1166ce
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/subresource-test/attr-referrer-invalid-value.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Invalid referrerPolicy attribute value</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+  </head>
+  <body>
+    <h1>Invalid referrerPolicy attribute value</h1>
+    <pre>Running...</pre>
+
+    <script>
+      test(function () {
+          var elements = ["iframe", "img", "a", "area", "link", "script"];
+          for (var i = 0; i < elements.length; i++) {
+              var elem = document.createElement(elements[i]);
+              elem.referrerPolicy = "unsafe-url";
+              assert_equals(elem.referrerPolicy, "unsafe-url");
+              elem.referrerPolicy = "not-valid-value";
+              assert_equals(elem.referrerPolicy, "");
+          }
+      }, "Invalid referrerpolicy values not reflected");
+    </script>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/referrer-policy/generic/subresource-test/fetch-messaging.html b/testing/web-platform/tests/referrer-policy/generic/subresource-test/fetch-messaging.html
new file mode 100644
index 0000000000..2678af822e
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/subresource-test/fetch-messaging.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!-- TODO(kristijanburnik): Remove subres. duplication. Reuse a template. -->
+<html>
+  <head>
+    <title>Fetch messaging - same-origin Fetch request</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <!-- Common global functions for referrer-policy tests. -->
+    <script src="/common/security-features/resources/common.sub.js"></script>
+  </head>
+  <body>
+    <h1>Fetch messaging - same-origin Fetch request</h1>
+    <p>If you can read JSON encoded HTTP request headers of the Fetch below,
+       the messaging works as expected.</p>
+
+    <pre id="received_message">Running...</pre>
+
+    <script>
+      test(function() {
+        assert_true(!!window.fetch, "Fetch is not supported by this browser.");
+      }, "Fetch is supported by the browser.");
+
+      promise_test(function() {
+          var urlPath = '/common/security-features/subresource/xhr.py';
+          var url = location.protocol + "//" + location.hostname + ":" +
+                    location.port + urlPath;
+          return requestViaFetch(url)
+            .then(function(message) {
+                var pre = document.getElementById('received_message')
+                var headers = message.headers;
+                pre.innerHTML = "";
+                pre.innerHTML += url + ":\n\n";
+                pre.innerHTML += JSON.stringify(headers, null, 2) + "\n\n";
+                assert_own_property(headers, "host")
+                assert_own_property(headers, "connection")
+              });
+      }, "Fetch is responding with HTTP headers");
+    </script>
+
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/referrer-policy/generic/subresource-test/iframe-messaging.html b/testing/web-platform/tests/referrer-policy/generic/subresource-test/iframe-messaging.html
new file mode 100644
index 0000000000..b8bdb0e5e0
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/subresource-test/iframe-messaging.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<!-- TODO(kristijanburnik): Remove subres. duplication. Reuse a template. -->
+<html>
+  <head>
+    <title>Iframe messaging - cross-origin iframe request</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <!-- Common global functions for referrer-policy tests. -->
+    <script src="/common/security-features/resources/common.sub.js"></script>
+  </head>
+  <body>
+    <h1>Iframe messaging - cross-origin iframe request</h1>
+    <p>If you can read JSON encoded HTTP request headers of the iframe below,
+       the messaging works as expected.</p>
+
+    <pre id="received_message">Running...</pre>
+
+    <script>
+      promise_test(function() {
+        var urlPath = '/common/security-features/subresource/document.py';
+        var url = location.protocol + "//www1." + location.hostname + ":" + location.port +
+                  urlPath;
+        return requestViaIframe(url)
+          .then(function(message) {
+            var pre = document.getElementById('received_message')
+            var headers = message.headers;
+            pre.innerHTML = "";
+            pre.innerHTML += url + ":\n\n";
+            pre.innerHTML += JSON.stringify(headers, null, 2) + "\n\n"
+            assert_own_property(headers, "host")
+            assert_own_property(headers, "connection")
+          });
+      }, "Iframe is responding with HTTP headers");
+    </script>
+
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/referrer-policy/generic/subresource-test/image-decoding.html b/testing/web-platform/tests/referrer-policy/generic/subresource-test/image-decoding.html
new file mode 100644
index 0000000000..76ce0e263a
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/subresource-test/image-decoding.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<!-- TODO(kristijanburnik): Remove subres. duplication. Reuse a template. -->
+<html>
+  <head>
+    <title>Image decoding - cross-origin image request</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <!-- Common global functions for referrer-policy tests. -->
+    <script src="/common/security-features/resources/common.sub.js"></script>
+  </head>
+  <body>
+    <h1>Image decoding - cross-origin image request</h1>
+    <p>If you can read JSON encoded HTTP headers of the image below,
+       the decoding works as expected.</p>
+
+    <pre id="received_message">Running...</pre>
+
+    <script>
+      promise_test(function() {
+        var urlPath = '/common/security-features/subresource/image.py';
+        var url = location.protocol + "//www1." + location.hostname + ":" + location.port +
+                  urlPath + "?cache_destroyer=" + (new Date()).getTime();
+        return requestViaImage(url, undefined, "always")
+          .then(function(message) {
+            var pre = document.getElementById('received_message')
+            var headers = message.headers;
+            pre.innerHTML = "";
+            pre.innerHTML += url + ":\n\n";
+            pre.innerHTML += JSON.stringify(headers, null, 2) + "\n\n"
+            assert_own_property(headers, "host")
+            assert_own_property(headers, "connection")
+          });
+      }, "Image is encoding headers as JSON.");
+    </script>
+
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/referrer-policy/generic/subresource-test/link-navigate.html b/testing/web-platform/tests/referrer-policy/generic/subresource-test/link-navigate.html
new file mode 100644
index 0000000000..21783d3e31
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/subresource-test/link-navigate.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<!-- TODO(kristijanburnik): Remove subres. duplication. Reuse a template. -->
+<html>
+  <head>
+    <title>Link messaging - cross-origin Link navigation</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <!-- Common global functions for referrer-policy tests. -->
+    <script src="/common/security-features/resources/common.sub.js"></script>
+  </head>
+  <body>
+    <h1>Link messaging - cross-origin Link navigation</h1>
+    <p>If you can read JSON encoded HTTP request headers of the Link below,
+       the messaging works as expected.</p>
+
+    <pre id="received_message">Running...</pre>
+
+    <script>
+      promise_test(function() {
+        var urlPath = '/common/security-features/subresource/document.py';
+        var url = location.protocol + "//www1." + location.hostname + ":" + location.port +
+                  urlPath;
+        return requestViaAnchor(url)
+          .then(function(message) {
+              var pre = document.getElementById('received_message')
+              var headers = message.headers;
+              pre.innerHTML = "";
+              pre.innerHTML += url + ":\n\n";
+              pre.innerHTML += JSON.stringify(headers, null, 2) + "\n\n"
+              assert_own_property(headers, "host")
+              assert_own_property(headers, "connection")
+            });
+      }, "Link is responding with HTTP headers");
+    </script>
+
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/referrer-policy/generic/subresource-test/script-messaging.html b/testing/web-platform/tests/referrer-policy/generic/subresource-test/script-messaging.html
new file mode 100644
index 0000000000..1bc0ba13ef
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/subresource-test/script-messaging.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<!-- TODO(kristijanburnik): Remove subres. duplication. Reuse a template. -->
+<html>
+  <head>
+    <title>Script messaging - cross-origin Script request</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <!-- Common global functions for referrer-policy tests. -->
+    <script src="/common/security-features/resources/common.sub.js"></script>
+  </head>
+  <body>
+    <h1>Script messaging - cross-origin Script request</h1>
+    <p>If you can read JSON encoded HTTP request headers of the Script below,
+       the messaging works as expected.</p>
+
+    <pre id="received_message">Running...</pre>
+
+    <script>
+      promise_test(function() {
+        var urlPath = '/common/security-features/subresource/script.py';
+        var url = location.protocol + "//www1." + location.hostname + ":" + location.port +
+                  urlPath;
+        return requestViaScript(url)
+          .then(function(message) {
+              var pre = document.getElementById('received_message')
+              var headers = message.headers;
+              pre.innerHTML = "";
+              pre.innerHTML += url + ":\n\n";
+              pre.innerHTML += JSON.stringify(headers, null, 2) + "\n\n"
+              assert_own_property(headers, "host")
+              assert_own_property(headers, "connection")
+            });
+      }, "Script is responding with HTTP headers");
+    </script>
+
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/referrer-policy/generic/subresource-test/worker-messaging.html b/testing/web-platform/tests/referrer-policy/generic/subresource-test/worker-messaging.html
new file mode 100644
index 0000000000..c2db8fe845
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/subresource-test/worker-messaging.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<!-- TODO(kristijanburnik): Remove subres. duplication. Reuse a template. -->
+<html>
+  <head>
+    <title>Worker messaging - same-origin Worker request</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <!-- Common global functions for referrer-policy tests. -->
+    <script src="/common/security-features/resources/common.sub.js"></script>
+  </head>
+  <body>
+    <h1>Worker messaging - same-origin Worker request</h1>
+    <p>If you can read JSON encoded HTTP request headers of the Worker below,
+       the messaging works as expected.</p>
+
+    <pre id="received_message">Running...</pre>
+
+    <script>
+      promise_test(function() {
+        var urlPath = '/common/security-features/subresource/worker.py';
+        var url = location.protocol + "//" + location.hostname + ":" +
+                  location.port + urlPath;
+        return requestViaDedicatedWorker(url, {})
+          .then(function(message) {
+              var pre = document.getElementById('received_message')
+              var headers = message.headers;
+              pre.innerHTML = "";
+              pre.innerHTML += url + ":\n\n";
+              pre.innerHTML += JSON.stringify(headers, null, 2) + "\n\n"
+              assert_own_property(headers, "host")
+              assert_own_property(headers, "connection")
+            });
+      }, "Worker is responding with HTTP headers");
+    </script>
+
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/referrer-policy/generic/subresource-test/xhr-messaging.html b/testing/web-platform/tests/referrer-policy/generic/subresource-test/xhr-messaging.html
new file mode 100644
index 0000000000..c1f89919ca
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/subresource-test/xhr-messaging.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<!-- TODO(kristijanburnik): Remove subres. duplication. Reuse a template. -->
+<html>
+  <head>
+    <title>XHR messaging - cross-origin XHR request</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <!-- Common global functions for referrer-policy tests. -->
+    <script src="/common/security-features/resources/common.sub.js"></script>
+  </head>
+  <body>
+    <h1>XHR messaging - cross-origin XHR request</h1>
+    <p>If you can read JSON encoded HTTP request headers of the XHR below,
+       the messaging works as expected.</p>
+
+    <pre id="received_message">Running...</pre>
+
+    <script>
+      promise_test(function() {
+        var urlPath = '/common/security-features/subresource/xhr.py';
+        var url = location.protocol + "//www1." + location.hostname + ":" + location.port +
+                  urlPath;
+        return requestViaXhr(url)
+          .then(function(message) {
+              var pre = document.getElementById('received_message')
+              var headers = message.headers;
+              pre.innerHTML = "";
+              pre.innerHTML += url + ":\n\n";
+              pre.innerHTML += JSON.stringify(headers, null, 2) + "\n\n"
+              assert_own_property(headers, "host")
+              assert_own_property(headers, "connection")
+            });
+      }, "XHR is responding with HTTP headers");
+    </script>
+
+    <div id="log"></div>
+  </body>
+</html>
diff --git a/testing/web-platform/tests/referrer-policy/generic/test-case.sub.js b/testing/web-platform/tests/referrer-policy/generic/test-case.sub.js
new file mode 100644
index 0000000000..717cd1a5e7
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/test-case.sub.js
@@ -0,0 +1,127 @@
+// https://w3c.github.io/webappsec-referrer-policy/#strip-url
+function stripUrlForUseAsReferrer(url, originOnly) {
+  // Step 2. If url’s scheme is a local scheme, then return no referrer.
+  const parsedUrl = new URL(url);
+
+  if (["about:", "blob:", "data:"].includes(parsedUrl.protocol))
+    return undefined;
+
+  // Step 3. Set url’s username to the empty string.
+  parsedUrl.username = '';
+
+  // Step 4. Set url’s password to null.
+  parsedUrl.password = '';
+
+  // Step 5. Set url’s fragment to null.
+  parsedUrl.hash = '';
+
+  //  Step 6. If the origin-only flag is true, then:
+  if (originOnly) {
+    // Step 6.1. Set url’s path to null.
+    parsedUrl.pathname = '';
+    // Step 6.2. Set url’s query to null.
+    parsedUrl.search = '';
+  }
+  return parsedUrl.href;
+}
+
+function invokeScenario(scenario) {
+  const urls = getRequestURLs(
+    scenario.subresource,
+    scenario.origin,
+    scenario.redirection);
+  /** @type {Subresource} */
+  const subresource = {
+    subresourceType: scenario.subresource,
+    url: urls.testUrl,
+    policyDeliveries: scenario.subresource_policy_deliveries,
+  };
+
+  return invokeRequest(subresource, scenario.source_context_list);
+}
+
+const referrerUrlResolver = {
+  // The spec allows UAs to "enforce arbitrary policy considerations in the
+  // interests of minimizing data leakage"; to start to vaguely approximate
+  // this, we allow stronger policies to be used instead of what's specificed.
+  "omitted": function(sourceUrl) {
+    return [undefined];
+  },
+  "origin": function(sourceUrl) {
+    return [stripUrlForUseAsReferrer(sourceUrl, true),
+            undefined];
+  },
+  "stripped-referrer": function(sourceUrl) {
+    return [stripUrlForUseAsReferrer(sourceUrl, false),
+            stripUrlForUseAsReferrer(sourceUrl, true),
+            undefined];
+  }
+};
+
+function checkResult(scenario, expectation, result) {
+// https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer
+  let referrerSource = result.sourceContextUrl;
+  const sentFromSrcdoc = scenario.source_context_list.length > 0 &&
+      scenario.source_context_list[scenario.source_context_list.length - 1]
+      .sourceContextType === 'srcdoc';
+  if (sentFromSrcdoc) {
+    // Step 3. While document is an iframe srcdoc document, let document be
+    // document's browsing context's browsing context container's node
+    // document. [spec text]
+
+    // Workaround for srcdoc cases. Currently we only test <iframe srcdoc>
+    // inside the top-level Document, so |document| in the spec here is
+    // the top-level Document.
+    // This doesn't work if e.g. we test <iframe srcdoc> inside another
+    // external <iframe>.
+    referrerSource = location.toString();
+  }
+  const possibleReferrerUrls =
+    referrerUrlResolver[expectation](referrerSource);
+
+  // Check the reported URL.
+  assert_in_array(result.referrer,
+                  possibleReferrerUrls,
+                  "document.referrer");
+  assert_in_array(result.headers.referer,
+                  possibleReferrerUrls,
+                  "HTTP Referer header");
+}
+
+function runLengthTest(scenario, urlLength, expectation, testDescription) {
+  // `Referer` headers with length over 4k are culled down to an origin, so,
+  // let's test around that boundary for tests that would otherwise return
+  // the complete URL.
+  history.pushState(null, null, "/");
+  history.replaceState(null, null,
+      "A".repeat(urlLength - location.href.length));
+
+  promise_test(t => {
+    assert_equals(scenario.expectation, "stripped-referrer");
+    // Only on top-level Window, due to navigations using `history`.
+    assert_equals(scenario.source_context_list.length, 0);
+
+    return invokeScenario(scenario)
+      .then(result => checkResult(scenario, expectation, result));
+  }, testDescription);
+}
+
+function TestCase(scenarios, sanityChecker) {
+  function runTest(scenario) {
+    // This check is A NOOP in release.
+    sanityChecker.checkScenario(scenario);
+
+    promise_test(_ => {
+      return invokeScenario(scenario)
+        .then(result => checkResult(scenario, scenario.expectation, result));
+    }, scenario.test_description);
+  }
+
+  function runTests() {
+    for (const scenario of scenarios) {
+      runTest(scenario);
+    }
+  }
+
+  return {start: runTests};
+}
diff --git a/testing/web-platform/tests/referrer-policy/generic/unsupported-csp-referrer-directive.html b/testing/web-platform/tests/referrer-policy/generic/unsupported-csp-referrer-directive.html
new file mode 100644
index 0000000000..27a3a99113
--- /dev/null
+++ b/testing/web-platform/tests/referrer-policy/generic/unsupported-csp-referrer-directive.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Referrer Policy: CSP 'referrer' directive should not be supported</title>
+    <meta http-equiv="Content-Security-Policy" content="referrer no-referrer">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <!-- Common global functions for referrer-policy tests. -->
+    <script src="/common/security-features/resources/common.sub.js"></script>
+  </head>
+  <body>
+    <h1>Referrer Policy: CSP 'referrer' directive should not be supported</h1>
+    <p>CSP used to have a 'referrer' directive to set a Referrer Policy. This directive has been removed and should not be supported.</p>
+
+    <pre id="received_message">Running...</pre>
+
+    <script>
+      promise_test(function() {
+        var urlPath = '/common/security-features/subresource/image.py?cache_destroyer=' + (new Date()).getTime();
+        return requestViaImage(urlPath, null, 'always')
+          .then(function(message) {
+            assert_equals(message.referrer, document.location.href);
+          });
+      }, "Image has a referrer despite CSP 'referrer' directive");
+    </script>
+
+    <div id="log"></div>
+  </body>
+</html>