Decide what to do about Cross-Origin requests

[denschub]

In this WebCompat report, we discovered a limitation of the addon in its current form. We need to spoof as Chrome to make this work, but this spoof needs to happen for a different origin: The site itself is www.southwest.com, but the resources we need to spoof for are hosted on siteintercept.qualtrics.com. The current implementation doesn't catch this. The current browser.webRequest.onBeforeSendHeaders registration explicitly only filters for the origins where the user has enabled the addon, so it will never fire for that other origin.

This was by design, as adding a blocking listener to <all_urls> has a performance cost. Since most people will have the addon enabled all the time, I did not want to add a listener to all requests. I could optimize this fairly well by having the request handler only check a Set instead of reading form extension storage, which would make this somewhat fast, but the cost is still non-zero.

There are three options for this:

1. Ignore it: The solution for #11 could also contain an UI element to add hostnames. Danny's WIP at #32 doesn't include that yet, but it wouldn't be hard. This would allow users to add third-party origins if needed.
2. Register the event for <all_urls>: This would add a tiny performance hit to everything, but we could check .documentUrl or .originUrl on the event details to check if we need to spoof or not.
3. Change the API: If the onBeforeSendHeaders registration would allow for that, we could have some way to register the listeners to fire for all requests triggered by the specified set of origins. This is a long-shot, though - I don't think this woudl happen.

Would appreciate comments if anyone has opinions.

[denschub]

Added context: If we wanted to match what the Interventions addon is doing, the current implementation is right - we do the same thing in our addon.