Enable XSS auditing by default

Qt disables this by default, but Chromium does have it enabled.

I also submitted a change to Qt to hopefully enable it by default there
starting with Qt 5.12: https://codereview.qt-project.org/#/c/198354/15

This also removes the claim of having a (big) performance impact, as Chromium's
XSS design doc says the opposite:
https://www.chromium.org/developers/design-documents/xss-auditor

doc/changelog.asciidoc

@@ -23,6 +23,12 @@ Added
 
 - The qute-pass userscript now has optional OTP support.
 
+Changed
+~~~~~~~
+
+- The `content.xss_auditing` setting is now enabled by default, to mirror
+  Chromium's rather than Qt's default behavior.
+
 Fixed
 ~~~~~
 

doc/help/settings.asciidoc

@@ -2061,13 +2061,13 @@ Default: +pass:[false]+
 [[content.xss_auditing]]
 === content.xss_auditing
 Monitor load requests for cross-site scripting attempts.
-Suspicious scripts will be blocked and reported in the inspector's JavaScript console. Enabling this feature might have an impact on performance.
+Suspicious scripts will be blocked and reported in the inspector's JavaScript console.
 
 This setting supports URL patterns.
 
 Type: <<types,Bool>>
 
-Default: +pass:[false]+
+Default: +pass:[true]+
 
 [[downloads.location.directory]]
 === downloads.location.directory

qutebrowser/config/configdata.yml

@@ -729,14 +729,13 @@ content.webrtc_public_interfaces_only:
 
 content.xss_auditing:
   type: Bool
-  default: false
+  default: true
   supports_pattern: true
   desc: >-
     Monitor load requests for cross-site scripting attempts.
 
     Suspicious scripts will be blocked and reported in the inspector's
-    JavaScript console. Enabling this feature might have an impact on
+    JavaScript console.
-    performance.
 
 # emacs: '