Additional protections for browsing hidden websites

I want to recommend researching and implementing additional protections for browsing hidden service websites.

Some ideas:

• #9623 (moved): Don't send referers from hidden addresses.

• Javascript disabled by default for hiddden services, whether it is enabled for public websites.

• This is all I can think of for now