Audit Media Session API

The API was enabled by default in 82, by flipping the pref dom.media.mediasession.enabled (https://bugzilla.mozilla.org/show_bug.cgi?id=1665496).

From the spec https://w3c.github.io/mediasession:

This specification enables web developers to show customized media metadata on platform UI, customize available platform 
media controls, and access platform media keys such as hardware keys found on keyboards, headsets, remote controls, 
and software keys found in notification areas and on lock screens of mobile devices.

and from the privacy considerations section:

Media session actions expose a new input layer to the web platform. User agents should make sure users are aware that their
actions might be routed to the website with the active media session. Especially, when the actions are coming from remote
 devices such as a headset or other remote device. It is recommended for the user agent to follow the platform conventions
 when listening to these inputs in order to facilitate the user understanding. 

For privacy purposes, when in incognito mode, the user agent should be careful when sharing the information from 
MediaMetadata with the system and make sure they will not be used in a way that would harm the user. Displaying 
this information in a way that is very visible would be against the user’s intent of browsing in incognito mode. 
When available, the UI elements should be advertized as private to the platform. 

We should investigate whether this API adds new fingerprinting vectors and/or results in data being persisted (e.g. because of the MediaMetadata info being shared with the system).