editorExtension feature should be brought under new 3rd party scheme

[tballmsft]

In pxt-microbit/targetconfig.json, see

        "approvedEditorExtensionUrls": [
            "https://microsoft.github.io/ml4f/",
            "https://microsoft.github.io/jacdac-docs/tools/makecode-editor-extension"
        ],

These "editors" are invoked via a button in the toolbox and opens a new page (inside an iframe in MakeCode), with content served by the URL. So this has the same issue that Eric addressed in the new 3rd party SHA-based extension.

For example, when you load the Jacdac extensions, you will get the "Configure" button in the Modules tray because pxt.json in microsoft/pxt-jacdac has this:

    "extension": {
        "namespace": "modules",
        "label": "Configure",
        "group": "Roles",
        "url": "https://microsoft.github.io/jacdac-docs/tools/makecode-editor-extension",
        "localUrl": "http://localhost:8000/tools/makecode-editor-extension"
    },

you will see

There is an iframe protocol that allows the "editor" to inject code into the project:

https://makecode.com/extensions/extensions