FEATURE: Stop checking referer for embeds (PR #13756)

Flips content_security_policy_frame_ancestors default to enabled, and removes HTTP_REFERER checks on embed requests, as the new referer privacy options made the check fragile.

GitHub

This pull request has been mentioned on Discourse Meta. There might be relevant details there: