WIP: Cache partitioning

[jupenur]

There's a lot of stuff crammed into this PR, so bear with me. The basics:

1. The origins cache as well as nonOrigins and tabs globals are now partitioned by first party origin and incognito status. That's done by using composite cache keys implemented using the new CacheKey function. This part is largely trivial.
2. There is a new utility function getFirstParty to help determine the correct cache partition for a webRequest details object. This is where things get a bit hairy, but there are comments in the function to help navigate it.
3. There are three cases where the first party origin cannot be determined based on a webRequest details object alone:
   1. When the request is related to a SharedWorker; in this case we patch the SharedWorker constructor to include the first party origin in the worker script's URL fragment.
   2. When the request is related to a ServiceWorker; piggy-backing on URL fragments doesn't work because the URL fragment is explicitly cleared by the browser; instead we completely block service worker registration in frames and assume the first party origin for any service worker is the origin of the service worker.
   3. When the request is related to a Worker; this case should be easy, but due to BMO#2048884 we need to do similar patching as with shared workers.

Some hairy details:

1. To piggyback on the URL fragment of a worker script, we use a randomly generated marker, firstPartyMarker, that can be reliably detected on the other end. This marker must not leak outside the extension, because knowing the marker would allow an attacker to spoof the first party origin and force the use of an arbitrary cache partition.
2. To hide the modified URL fragment of a worker script, we also need to patch WorkerLocation.
3. There's still the risk that I've missed some case where the first party origin cannot be determined. I've tried to make getFirstParty fail securely by emitting a unique origin in that case, effectively disabling the cache. If that happens, the function also logs a warning.

Some additional stuff in this PR:

1. With c897807, the CI pipeline updates NoScript automatically in case there is a new version of it not bundled with TBB yet. I added that because of the AudioWorklet bug in NoScript.
2. I overhauled the JavaScript hooking mechanism pretty thoroughly. There's now an updatableHook function that handles delivering async data to a hook in a reusable manner.
3. I started using JSDoc comments in the hook library because they're surfaced nicely in IDEs. I think we should start using basic JSDoc syntax everywhere.