Several extensions broken by CORB

[AprilSylph]

Chrome's CORB apparently breaks all api.tumblr.com calls, which are included in:

• [ ] Profiler
• [ ] Find Blogs
• [ ] TagViewer
• [ ] Post Archiver
• [ ] Audio Downloader
• [ ] Read More Now
• [ ] Notifications+
• [ ] ReplyViewer
• [ ] Tag Replacer
• [ ] View My Tags
• [ ] Retags
• [ ] XStats (stats.js)
• [ ] User Menus+ (show_more.js)
• [ ] Blog Tracker (people_notifier.js)
• [ ] Mass+
• [ ] Post Limit Checker
• [ ] Tag Tracking+ (classic_tags)
• [ ] View on Dash

There is also a reference to api.tumblr.com in the bridge, but only as part of HTTPS forwarding - only Post Archiver and Mass+ attempt HTTP connections.

P-Critical due to number of extensions affected and the popularity of Chrome.

[nightpool]

to be more specific, https://www.chromium.org/Home/chromium-security/extension-content-script-fetches breaks all cross-origin calls from content scripts, and api.tumblr.com is our most frequent cross-origin request. There may be others. I'm pretty sure XCloud is broken, for example.

EDIT: Actually it does look like they're respecting access-control-allow-* headers, because installing extensions seems to work. So if XCloud is broken we can just fix it that way. That doesn't rule out other extensions that depend on external resources outside of our control though, which there are probably a few of.

[AprilSylph]

Removing priority label since we are now whitelisted. Issue should be renamed if we want to use this checklist for reducing cross-origin requests. Also removing bug tag since it currently has no actual bearing on the user experience.