Better handle requests in activated widgets

[ghostwords]

When you activate a widget (click "allow once" or "always allow on this site" (#2653) in our placeholder), we currently not only temporarily allow requests with domains specified in the widget JSON's unblockDomains array, but also requests that originate from frames whose domains are specified in unblockDomains. Furthermore, when we temporarily allow domains, we don't report them in the popup.

While this seems to restore full functionality to activated widgets, it comes with excessive loss of privacy to advertising/tracking domains, and complete lack of visibility/control over these widget-spawned domains in Privacy Badger's UI.

One idea would be to stop allowing requests based on their frame, and instead expand unblockDomains lists to fully cover all required widget domains. This will improve privacy at the expense of maintenance/potential widget breakage.

It's less clear what to do about visibility/control. Temporarily allowed domains are neither tracking-but-haven't-yet-seen-enough-to-decide-to-block nor not-yet-seen-to-track. I think this ties into a specialized UI for widget replacement in the popup (a UI to help in cases when we block a widget but aren't able to properly replace it for whatever reason). So, solving this could be a two step process, where we first tackle privacy and then reporting.

This issue gains importance as we continue to expand the use of widget replacement.