Trim the NoScript whitelist
The NoScript whitelist currently allows blob: URLs, all about: URLs, and chrome: URLs.
We definitely want to remove blob: URLs, because of #15502 (moved). We also don't appear to need chrome: URLs, and Giorgio recommends we remove the blanket allow on about: URLs in favor of a the list of specific about urls we know we need.
We do need resource: urls for pdf.js though. For some reason, the cascading permissions does not properly allow them in pdf.js when you click "Temporarily allow all this page".
Unfortunately, updating this list is not easy. We need to push an update in extension-overrides.js to set 'noscript.mandatory' and 'noscript.default', but that will not affect 'capability.policy.maonoscript.sites' for people who upgrade. Hence we need to add one-time code to Torbutton that removes the extra schemes from 'capability.policy.maonoscript.sites' and sets a pref so it doesn't do it again.