Improve Blob/File/MediaSource handling

[weizman]

This PR addresses #87 (see #88 (comment)) but ended up being more complicated...

Follow comments below in this PR by order for ctx, but to sum things up:

• Making URL objects out of blobs/files is not longer fully forbidden.
• If you use JS to create a blob, you can turn it into a URL object only if it is in the blob-types whitelist.
• However, if you take a native blob (as a result of a fetch response for example) you can turn it into a URL object with no limitations.
  • This allows attackers to fetch malicious content and turn into a Blob, which is why Snow must be integrated with strong cross origin CSP
• Also, this opens up @arxenix awesome bypass [WIP] Hook URL object creation #45 (comment), therefore Worker protection was also introduced at Hook Workers to appropriately treat Blobs completely #89

[weizman]

Currently this is only a PoC, which will probably end up quite similar to this.
I,

• made sure to not only hook Blob/File/MediaSource constructor but to also make sure they inherit the prototypes of the original constructors (this solves the issue seen on whatwg-fetch - see Blob override is not good enough and clashes with whatwg-fetch npm package #87 section#1)
• made sure Blobs/Files/MediaSources that are created are saved into an array, so when someone is trying to make a URL object out of them, they are being verified to be known against that array (this solves Blob override is not good enough and clashes with whatwg-fetch npm package #87 section#2)
• no longer disallowing all types of blobs to URL objects - from now on we allow specific whitelisted types (e.g. no reason to disallow text/javascript as those cannot serve an iframe)

[weizman]

• refactored blobs and url creation hooks to look better
• still needs to:
  • make error handling clearer
  • write more tests to test new and more complex logic
  • test against popular sites

[weizman]

PROBLEM: This implementation reopens @arxenix brilliant bypass so this work isn't done yet.

[weizman]

revert 3dbc5aa test improvement, so I could handle this correctly on a different PR #89

[weizman]

Merged Worker protection so this solution is actually hermetic ac7a51a (this addresses #88 (comment))

[weizman]

Update, had to change direction a bit 6ee2c98
Some apps do expect to be able to fetch a resource as a native Blob and use JS to turn it into a URL obj (which I decided to block).
Therefore, instead of having an allowed-blobs list so that only JS crafted blobs are allowed to become URL objs, new approach differentiate "artificial blobs" (blobs made with JS) vs "native blobs" (blobs fetched remotely and handed by the browser).
If a blob is artificial, only allow it to become a URL object if its type is in the types whitelist.
If a blob is native, let it do whatever it wants.
This allows attackers to use XHR to fetch the malicious HTML they want as a blob and turn it into an object URL easily - which is just another reason why we MUST promote Snow as a solution that is almost irrelevant without CSP...