Restrict fetch(..., { mode: "no-cors" }) more

[annevk]

We based what fetch() with no-cors can do upon CORS, but while that makes sense for requests, it doesn't make a whole lot of sense for responses now that opaque response has lost some of its meaning due to Spectre.

This was previously discussed in w3c/ServiceWorker#1509. It seems easy to have an early block if request's method was not GET.

I don't know if we want to do anything about request headers, though it does seem kind of suspicious if a GET comes with a Content-Type header it also doesn't seem like the kind of thing a server would trip over (famous last words?).

cc @jakearchibald

Related bugs (some hidden, but it was long ago decided to disclose this):

• https://bugzilla.mozilla.org/show_bug.cgi?id=1513498
• https://bugs.webkit.org/show_bug.cgi?id=192628
• https://bugs.chromium.org/p/chromium/issues/detail?id=914301