The first page doesn't meet the requirements of Web Apps, so it is added as regular shortcut. Talked with Peter, it probability because the URLs of the video of the iframes aren't within the scope of the site.

Yes. I did some logging and found it's related to if statement in AddToHomescreenManager::Start(), i.e. InstallableManager::IsContentSecure() returning false.

So is "cross-origin iframe/cross-origin video source causing the WebApp to be non-installable" a legitimate restriction?

If yes, there should be a way to for web developers work around it. For example, the developer can make the start_url page being installable, but then have a link for navigating to another URL within the scope which contains such a cross-origin iframe/video.

It seems that the banner does not show for a page with cross origin frames as a result of fixing  Issue 657739  "Progressive web app install banner is shown despite mixed content"

Assigning to Dominick who can provide more context

It's not that the page has cross origin frames that's the problem. It's not including them securely with HTTPS. It's not showing "Secure"next to the lock icon

To be even more specific, loading the page, then opening up devtools shows the following in the console:

Mixed Content: The page at 'https://xxyzzzq.github.io/sandbox/manifest/simple-app.html' was loaded over HTTPS, but requested an insecure image 'http://camendesign.com/code/video_for_everybody/poster.jpg'. This content should also be served over HTTPS.

So it isn't even the cross-origin iframe that's the issue. It's an insecurely loaded image. ;)

I see. So for the same reason as #2, should this prevent the Web App from installable?

Yes. PWAs must be served over a secure connection. Having mixed content means that a site is not secure, and therefore by definition, not a PWA. This is working as intended.

Sites that don't get the "Secure" chip are not secure.