Let Rails set default referrer policy header

If someone wants to override this, we allow that in Omnibus through the
nginx configuration.

app/controllers/application_controller.rb

@@ -52,7 +52,6 @@ class ApplicationController < ActionController::Base
   around_action :set_current_admin
 
   after_action :set_page_title_header, if: :json_request?
-  after_action :set_referrer_policy_header
   after_action :limit_session_time, if: -> { !current_user }
 
   protect_from_forgery with: :exception, prepend: true
@@ -560,10 +559,6 @@ class ApplicationController < ActionController::Base
 
     redirect_to users_sign_up_welcome_path
   end
-
-  def set_referrer_policy_header
-    response.headers['Referrer-Policy'] = 'origin-when-cross-origin'
-  end
 end
 
 ApplicationController.prepend_if_ee('EE::ApplicationController')

changelogs/unreleased/move-referrer-policy-to-header.yml

 ---
-title: Move Referrer-Policy from HTML to header
+title: Set default Referrer-Policy to strict-origin-when-cross-origin and set it in a header rather than HTML
 merge_request: 26065
 author: nhirokinet
 type: changed

lib/support/nginx/gitlab

@@ -73,8 +73,6 @@ server {
 
   ## See app/controllers/application_controller.rb for headers set
 
-  add_header Referrer-Policy origin-when-cross-origin;
-
   ## Real IP Module Config
   ## http://nginx.org/en/docs/http/ngx_http_realip_module.html
   real_ip_header X-Real-IP; ## X-Real-IP or X-Forwarded-For or proxy_protocol