Figure out how to sandbox meek in a sensible way.

Right now sandboxed-tor-browser does not support meek at all. This is suboptimal since it is popular.

There's two ways forward from my perspective:

• The correct fix would be to add code to spin up another sandbox container (since I do not think that even a neutered firefox process should live in the tor sandbox), for the meek helper firefox instance.

• The quick and dirty way would be to use meek_lite since obfs4proxy is allowed, and shipped versions contain the code. The downside is that it is even more distinct than meek usually is.