Just to provide an update here and to the rest of the community who may be following:
Last week, we set the referrer policy to
no-referrer-when-downgrade, and we plan to keep it this way for the foreseeable future. What this will do is prevent the full URL from being sent by the client (web browser) in the
Referer header when following a link or making an in-page HTTP request, if the other site is accessed over a non-secured HTTP protocol. However, it should still work in iframes to URLs that use the HTTPS protocol.
Please feel free to share feedback with us about Add-ons, both your ideal usage of them and how you feel they should be improved! A permanent solution for the issue that arose in this particular use case would be to pass the incident ID to the add-on in some other way, i.e. adding the incident ID into the URL as a parameter. We would ultimately like to tighten the referrer policy in the future without causing this type of issue, and so that would need to involve improving the design of the add-ons feature. Please let us know what you think!