Add "Referrer-Policy: no-referrer" to standard HTTP headers

Summary:
Ref T4340. Some browsers respect this header and referrers are a plague upon the earth.

Also, upgrade "never" to the more modern value "no-referrer".

Test Plan:
In Safari, Firefox and Chrome, disabled `rel="noreferrer"` on links and generated a normal link to an external site. Then clicked it and checked if a referrer was sent.

  - Safari respects meta only, but "no-referrer" is fine.
  - Firefox respects both (either the header or meta tag are individually sufficient to stop referrers).
  - Chrome respects both (same as Firefox).

Maniphest Tasks: T4340

Differential Revision: https://secure.phabricator.com/D19144

src/aphront/response/AphrontResponse.php

@@ -92,6 +92,8 @@ abstract class AphrontResponse extends Phobject {
       $headers[] = array('Content-Security-Policy', $csp);
     }
 
+    $headers[] = array('Referrer-Policy', 'no-referrer');
+
     return $headers;
   }
 

src/view/page/PhabricatorBarePageView.php

@@ -119,7 +119,7 @@ class PhabricatorBarePageView extends AphrontPageView {
       'meta',
       array(
         'name' => 'referrer',
-        'content' => 'never',
+        'content' => 'no-referrer',
       ));
 
     $response = CelerityAPI::getStaticResourceResponse();