[Spec] Overhaul 'restricting the text fragment' section (#239)

* Use userInvolvement instead of sec-fetch-site

sec-fetch-site was being checked for 'none' to indicate that a navigation was
initiated from browser UI. However, we cannot inspect request headers from this
part of the algorithm.

Instead, the navigate algorithm now has a userInvolvement parameter which
provides this information explicitly. Plumb that into navigation params and use
it instead.

Additionally, this change removes the top-level browsing context check from the
document's text directive user activation flag since that's a confusing place to
check it. Instead, move it to where this flag is being read and remove a
(now-obviously) redundant check below.

* Use initiatorOrigin instead of sec-fetch-site

`sec-fetch-site: same-origin` was being checked to tell if a navigation was
initiated by a different origin. However, request headers can't be inspected at
this point of the algorithm.

Plumb through the initiatorOrigin parameter when loading a document and compare
that with navigation params's origin field, using the `is same site` steps.

* Enable same-document navigations

The main change in this commit is that enables same-document navigations
(with restrictions) by moving the security checks to also happen from
the navigate to fragment. As part of this, we do a fairly substantial
clean up and refresh of the 'restricting a text fragment' section. The
summarized high level changes:

  * Split out the restrictions into a single set of 'check if a text
    directive can be scrolled' steps, taking the necessary input as
    parameters.
  * Remove the 'allow text fragment scroll` flag on Document, instead
    computing this value and passing it through various steps into
    'scroll to the fragment'.
  * The restriction is placed only on the 'scroll to the fragment'
    steps, meaning the text directive is still the 'indicated part' and
    can remain highlighted.

Partially addresses #240