We try to maintain the same security slider behavior as for the
legacy version of NoScript.

This patch uses a few tricks:

1. Using a LegacyExtensionContext (defined in LegacyExtensionsUtils.jsm)
   to send JSON objects to NoScript via sendMessage.
2. Taking advantage of an existing invocation of
   browser.runtime.onMessage.addListener(...) in NoScript's code that accepts
   a JSON object for updating NoScript's settings.
3. Providing NoScript with settings for a "site" whose "domain" is "http:",
   which causes NoScript to match non-https sites.

(Thanks to Sukhbir Singh for help.)