RFC1918 protection needs to be added to the spec

[MattMenke2]

RFC1918 requires protections against requests initiated by remote sites being made to local devices, to protect local devices whose security models rely on them not being web-accessible from being web-accessible through cross-site requests. Normally, web-initiated requests are associated with a browsing context, so inherit RFC1918 protections through the browsing context.

Conversion measurement API reports, however, aren't made in the context of a webpage, so are unable to inherit these protections. The spec should be updated to provide these protections.

Disclaimer: I'm not familiar with the standards work going on here, just with Chrome's implementation of it, so can't really provide any feedback on how best to cover these protections in the markdown files.