Add XSS checks for Referer header

[lifeforms]

We did some very basic work to add some XSS checks for the Referer header (#475) but were forced to pull some back because of trivial FP (#585).

It is still worthwhile to add more comprehensive XSS checks, but we have to do this more carefully, maybe make some PoCs, see how log viewers and clients handle this data, decide what kind of rules we can enable safely, and which transformations to use.

[spartantri]

@lifeforms, what if we add REQUEST_HEADERS:Referer to 941100 and close this issue?

[lifeforms]

@spartantri We got burned by many false positives when trying to run libinjection on the Referer header, so we moved the Referer libinjection check to paranoia level 2 in #717.

(A combination of things happened here: libinjection used to be trigger happy on URLs, as it assumed that a string onfoo=bar was XSS. We brought it up with libinjection so that could be fixed now: client9/libinjection#115 But our transformations were also not being helpful here, as they made even more URLs match XSS. The litany was recorded in history here: #663)

[dune73]

This has been open for far too long and it seems we are not able to come up with a decent solution that does away with the false positives that this brings. During the monthly CRS chat, we have does decided to close this issue.

Meeting minutes: #1671 (comment)

If anybody feels like giving this a go for real and come up with a working solution, then please reopen.