Blind cross-origin requests to .tor.onion domains

PoC:

<!DOCTYPE html>
<html>
  <body>
    <span></span>
    <script>
const target = document.querySelector("span");
const before = Date.now();
const img = new Image();
img.onload = () => {
  target.textContent = (Date.now() - before);
};
img.onerror = () => {
  target.textContent = (Date.now() - before);
};
img.src = "https://nytimes.securedrop.tor.onion";
    </script>
  </body>
</html>

Pref on: hundreds of ms, even thousands

Pref off: 0 or 16-17 (the request is immediately rejected because the resolution fails, even though at least the browser doesn't say the cause).

We should find a way to allow onion aliases only when the document initializing a request is in the same eTLD.

And if we extend the functionality to support more lists, it will be a nightmare: users could be fingerprinted on the list they have, like uBlock Origin.

/cc @ma1 @thorin