(no component for domain-discover exists)

Imagine I connected to a secure HTTPS Jenkins with a "secret" in the URL and the domain-discover pinger worked - it would report the secret over http to the discover-jenkins endpoint (as the full URL is transferred in the referer)

1) Should only the hostname (and or IP address) reported to discover-jenkins (I.e. is it worth reporting a payload - privacy concerns of course)
2) Putting this on by default might cause some entertaining side effects in public hosting infrastructure - e.g. openshift / cloudbees depending on their vhosting layout - I would register a customer discover-jenkins and all customers would report to them (if the hosting provider didn't disable the module)
3) should the ping use the same scheme as the incoming request?; and should it check the certs (to avoid MITM)? IMO - with the introduction of LetsEncrypt there is no reason not to have valid https all the time - even for relative low value instances.