Prompt for host permission instead of requiring CORS

[freaktechnik]

Not only is CORS not very scalable if you don't want to allow *, but there's a better mechanism for extensions: you can declare <all_urls> as an optional permission and then request the permission on a per-host basis. The complicated part, of course, is that the setup is running in a popup, and permission prompts open a popup, so it would probably have to be staggered, where the popup shows a toast saying that you should now close the popup to grant the permission or similar. Not quite sure how to manage that while keeping it a user interaction. Might for example work by prompting the next time you click the extension button instead of showing the panel, or showing a notification that triggers the permission prompt.