Update referrer policy default to a stricter value (#177559)

### Summary
Update the default value of
`server.securityResponseHeaders.referrerPolicy` to a stricter value:
`strict-origin-when-cross-origin`

docs/setup/settings.asciidoc

@@ -405,7 +405,7 @@ disable, set to `null`. *Default:* `"nosniff"`
 Controls whether the https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy[`Referrer-Policy`] header is used in all
 responses to the client from the {kib} server, and specifies what value is used. Allowed values are `no-referrer`,
 `no-referrer-when-downgrade`, `origin`, `origin-when-cross-origin`, `same-origin`, `strict-origin`, `strict-origin-when-cross-origin`,
-`unsafe-url`, or `null`. To disable, set to `null`. *Default:* `"no-referrer-when-downgrade"`
+`unsafe-url`, or `null`. To disable, set to `null`. *Default:* `"strict-origin-when-cross-origin"`
 
 [[server-securityResponseHeaders-permissionsPolicy]] `server.securityResponseHeaders.permissionsPolicy`::
 experimental[] Controls whether the https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy[`Permissions-Policy`] header

packages/core/http/core-http-server-internal/src/__snapshots__/http_config.test.ts.snap

@@ -84,7 +84,7 @@ Object {
     "crossOriginOpenerPolicy": "same-origin",
     "disableEmbedding": false,
     "permissionsPolicy": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()",
-    "referrerPolicy": "no-referrer-when-downgrade",
+    "referrerPolicy": "strict-origin-when-cross-origin",
     "strictTransportSecurity": null,
     "xContentTypeOptions": "nosniff",
   },

packages/core/http/core-http-server-internal/src/security_response_headers_config.test.ts

@@ -20,7 +20,7 @@ describe('parseRawSecurityResponseHeadersConfig', () => {
       Object {
         "Cross-Origin-Opener-Policy": "same-origin",
         "Permissions-Policy": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()",
-        "Referrer-Policy": "no-referrer-when-downgrade",
+        "Referrer-Policy": "strict-origin-when-cross-origin",
         "X-Content-Type-Options": "nosniff",
       }
     `);

packages/core/http/core-http-server-internal/src/security_response_headers_config.ts

@@ -30,7 +30,7 @@ export const securityResponseHeadersSchema = schema.object({
       schema.literal('unsafe-url'),
       schema.literal(null),
     ],
-    { defaultValue: 'no-referrer-when-downgrade' }
+    { defaultValue: 'strict-origin-when-cross-origin' }
   ),
   permissionsPolicy: schema.oneOf([schema.string(), schema.literal(null)], {
     // See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy

packages/core/usage-data/core-usage-data-server-internal/src/core_usage_data_service.test.ts

@@ -311,7 +311,7 @@ describe('CoreUsageDataService', () => {
                   "crossOriginOpenerPolicy": "same-origin",
                   "disableEmbedding": false,
                   "permissionsPolicyConfigured": true,
-                  "referrerPolicy": "no-referrer-when-downgrade",
+                  "referrerPolicy": "strict-origin-when-cross-origin",
                   "strictTransportSecurity": "NULL",
                   "xContentTypeOptions": "nosniff",
                 },

x-pack/test_serverless/api_integration/test_suites/common/platform_security/response_headers.ts

@@ -18,7 +18,7 @@ export default function ({ getService }: FtrProviderContext) {
     const defaultPermissionsPolicy =
       'camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()';
     const defaultStrictTransportSecurity = 'max-age=31536000; includeSubDomains';
-    const defaultReferrerPolicy = 'no-referrer-when-downgrade';
+    const defaultReferrerPolicy = 'strict-origin-when-cross-origin';
     const defaultXContentTypeOptions = 'nosniff';
     const defaultXFrameOptions = 'SAMEORIGIN';