remove referrer by default

The referrer CSP is supported by chrome and firefox 38+.

Suppressing the referrer increases the users privacy and the image proxy isn't
any longer required to cloak the referrer on websites which are using hotlinking
protection based on referrers.

controllers/common.php

@@ -50,6 +50,7 @@ Router\before(function($action) {
         'media-src' => '*',
         'img-src' => '*',
         'frame-src' => Model\Config\get_iframe_whitelist(),
+        'referrer' => 'no-referrer',
     ));
 
     Response\xframe();