Prevent a new ServiceWorker from being installed after the page loads

Summary

This is a client-side security measure to prevent unauthorized ServiceWorkers from being installed.

Attackers can use XSS to install a new ServiceWorker, overwriting the one installed by Soapbox. This MR will prevent that in the majority of cases, even if no CSP is configured and if XSS is possible.

We simply overwrite navigator.serviceWorker.register to throw an error, right after kicking off the promise to install the initial worker. Since the global API has been changed, it's not possible to revert it or to access that API anymore during the rest of the page's lifecycle.