At the moment we are sending a less private Referrer-Policy than the one that would be used if we didn't send one.
$this->useStrictReferrerPolicyis not set in which case nothing is sent to other origins)
Hard to say if it would break anything. I remember https://github.com/matomo-org/matomo/pull/14482 broke the overlay when we tried various different settings earlier and we now worked around it with https://github.com/matomo-org/matomo/pull/14766/files
Generally sounds good to do this 👍 FYI seems it's not supported by IE11
And I suppose nothing changes when someone switches from HTTP to HTTPS? Eg when logging in then we don't look at the full referrer? not sure if something behaves different there maybe (didn't check in detail)
In the code we have the comment
always send explicit default header, and looks like this is the new default header. I'm not sure about what could it break, but definitely the more secure and up-to-date solution.
Maybe we could merge this quite early after a release, so there is a longer time to notice if this breaks something in a subtil way.