Use of the Content-Security-Policy header to specify a referrer policy
was deprecated in favor of a [new
header](fc55d917be).
This change changes the existing referrer policy directives to use this
header and adds corresponding config options/command line flags.
We can use the Host property of the request and the X-Forwarded-Proto to
infer the site URL. To reduce complexity, the path is not inferred, and
it is assumed that linx-server is running at /. If this is not the case,
the site URL must be manually configured; this is no different than it
was before.
The policy of "referrer none" was incorrect and was nonfunctional. With
this change, the CSP referrer policy is set to origin, which
will causes only the origin to be sent for requests made from the main
site.
A fix was also needed for referrer checks in two places.