1. It uses full urls in hidden fields. Some web servers have a security heruristic where they block URL parameters (not sure about POST paramters) that are full URLs. You should always use a URL relative to wwwroot (output with moodle_url::out_as_local_url), and receive it with PARAM_LOCALURL.
2. It uses HTTP referrer as the return URL. this works the first time you arrive on a page like https://tjh238.vledev2.open.ac.uk/moodle_head/mod/wiki/filesedit.php?subwiki=1&pageid=1, but it fails if you then use the block editing UI on that page, or the purge caches link in the footer. The correct returnurl should be passed around in the URL, or hidden fields.