[ads] Deny disallowed URL redirects if eTLD+1 does not match the `targetUrl`

[tmancey]

Consider adding to httpResponseStatus in confirmation token redemption payload

[tackley]

This needs to be introduced in "warning mode" only first. Where we can identify creatives that broke this rule, so we can investigate whether the flag is correct without risking revenue.

The kind of thing I'm worrying about is things like ddos / bot protection services which may have valid reasons to redirect via a different eTLD+1 temporarily. What we're trying to protect against here is additional user tracking across multiple domains (recording personal identifiers via cookies or scripts etc) without breaking valid advertiser activity.

[thypon]

@tackley we might want to have an allowlist for DDOS protection websites, like cloudflare or fastly