make hstshijack stealthier

[buffermet]

• We can now phish credentials by posting them to the callback path, and then stop spoofing that domain for the client that got phished. In other words, when the client's credentials get phished, and we give them a "wrong password" message, they will probably press the back button to try again. They will then be redirected to the legitimate hostname. Requests for this host will also no longer be spoofed for this client. (that was hard to word lol)
• We can now ignore all hostnames (with hstshijack.ignore *) except for specified (payload/hostname) targets.
• Regular expressions should now detect all valid domains.
• Fixed a pretty bad bug where the regular expression included "$1" in the hostname when no match was found.

[buffermet]

I'm still testing this so if all works as intended I'll merge.

[buffermet]

This works as intended now. Merging now.

Example:

1. User visits spoofed hostname
2. User logs in and the custom payload steals the credentials by posting them to the callback path (/obf_path_callback)
3. User gets redirected to "wrong password" page (or "reset password" page)
4. User tries to visit previous page
5. User is presented the real login page (original, non-spoofed hostname)

After receiving a request for the callback path, this hostname will no longer be spoofed for this client and any request for the spoofed hostname will immediately be redirected to the original host.