referer: HTML5 browsers no longer leak pad through HTTP referer header

Added `rel="noreferrer"` to automatically generated links in the main pad window
as well as the chat window.

`rel="noreferrer"` is part of the HTML5 standard. While browser support isn't
100%, it's better than nothing. Future alternative solutions with wider browser
support, such as intermediary redirect pages, are unaffected by this change.

https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer

This commit was originally part of https://github.com/ether/etherpad-lite/pull/2498

src/static/js/domline.js

@@ -198,7 +198,10 @@ domline.createDomLine = function(nonEmpty, doesWrap, optBrowser, optDocument)
         {
           href = "http://"+href;
         }
-        extraOpenTags = extraOpenTags + '<a href="' + Security.escapeHTMLAttribute(href) + '">';
+        // Using rel="noreferrer" stops leaking the URL/location of the pad when clicking links in the document.
+        // Not all browsers understand this attribute, but it's part of the HTML5 standard.
+        // http://www.w3.org/TR/html5/links.html#link-type-noreferrer
+        extraOpenTags = extraOpenTags + '<a href="' + Security.escapeHTMLAttribute(href) + '" rel="noreferrer">';
         extraCloseTags = '</a>' + extraCloseTags;
       }
       if (simpleTags)