Updated Headers Via gatsby-plugin-netlify & @netlify/plugin-gatsby - referrer header with domain not being set as before in iframe src urls

site: clicktherapeutics.com
gatsby: ~5.11.0
gatsby-plugin-netlify: ^5.1.1
preview demoing broken site: https://deploy-preview-74--clicktherapeutics.netlify.app/
preview demoing working site: https://deploy-preview-73--clicktherapeutics.netlify.app/

We have been having issues in production with parts of our site being cached by certain users (Firefox on Windows), and added gatsby-plugin-netlify and changed our netlify plugin from nettlify-plugin-gatsby-cache to @netlify/plugin-gatsby.

The new headers added to our project are thus:

"/public/**/*.html": [
            `cache-control: public`,
            `cache-control:  max-age=0`,
            `cache-control: must-revalidate`,
          ],
          "/public/page-data/*": [
            `cache-control: public`,
            `cache-control:  max-age=0`,
            `cache-control: must-revalidate`,
          ],
          "/sw.js": [
            `cache-control: public`,
            `cache-control:  max-age=0`,
            `cache-control: must-revalidate`,
          ],
          "/*": [
            `cache-control: public`,
            `cache-control:  max-age=180`,
            `cache-control: no-cache`,
            `cache-control: must-revalidate`,
          ],

On our site, we have a video player with domain-secured access to Vimeo. It has been working as expected up until this change.

With the change, Vimeo denied our requests with 403 forbidden due to site lacking permissions to view the video. My thoughts are I probably have done something with the header configuration to break this, or something has changed with plugin and the CDN and how requests are made to external resources.

UPDATE: I noticed that in working previews of the site, the Referer header is being passed through to Vimeo via the iframe src. However, the Referer header is not being passed in environments where the video is not loading. Did something change to trigger a different referer-policy for iframes within Netlify?

Our current vimeo domains are:

Can you help?

We rolled back our deploy (and will rollback code-changes if necessary, but I don’t want to be stuck on a particular version of dependencies forever).

We got around this issue by refactoring our iframe component to force Referrer-Policy: strict-origin-when-cross-origin header on the iframe, which enables the referer header to be properly set. However, something changed somewhere to make this a necessity, not sure what. So be careful, there be dragons.

<iframe
    referrerPolicy="strict-origin-when-cross-origin"
></iframe>

thanks for sharing this with the community!