Nice work, amazing for a first time contribution. Thank you for making this PR - I love to see new security headers coming into Django. I was a bit concerned that browsers might not have standardized MDN lists the header as fully supported on Chrome, Edge, and Firefox.

The new default is backwards incompatible, but I think the use cases (cross-site pop-ups deliberately communicating) are fairly niche (I think?). For referrer-policy we added it in one version (3.0) then changed the default in the next (3.1.). We could do that here, but I think doing it all at once with a good release note should be enough, and isn't really that functionally different from changing the default in one version.

I've made a few comments below, mostly small picks. I'm sure the fellows will have more to say, they know more about what's going on than me.

I didn't check but there should be a ticket for COEP/CORP too, if you're feeling like a follow-up. I guess they should be added together since they're more interdependent.

I can't push to this branch so I addressed all review comments and made a few more edits of my own in #14189.