Ref T6755. This is a partial fix, but:

• Allow netblocks to be blacklisted instead of making the feature all-or-nothing.
• Default to disallow requests to all reserved private/local/special IP blocks. This should generally be a "safe" setting.
• Explain the risks better.
• Improve the errors rasied by Macro when failing.
• Removed security.allow-outbound-http, as it is superseded by this setting and is somewhat misleading.
  • We still make outbound HTTP requests to OAuth.
  • We still make outbound HTTP requests for repositories.

From a technical perspective:

• Separate URIs that are safe to link to or redirect to (basically, not "javascript://") from URIs that are safe to fetch (nothing in a private block).
• Add the default blacklist.
• Be more careful with response data in Macro fetching, and don't let the user see it if it isn't ultimately valid.

Additionally:

• I want to do this check before pulling repositories, but that's enough of a mess that it should go in a separate diff.
• The future implementation of T4190 needs to perform the fetch check.

• Fetched a valid macro.
• Fetched a non-image, verified it didn't result in a viewable file.
• Fetched a private-ip-space image, got an error.
• Fetched a 404, got a useful-enough error without additional revealing response content (which is usually HTML anyway and not useful).
• Fetched a bad protocol, got an error.
• Linked to a local resource, a phriction page, a valid remote site, all worked.
• Linked to private IP space, which worked fine (we want to let you link and redierect to other private services, just not fetch them).
• Added and executed unit tests.