Replace references to the "sync-xhr" policy-controlled feature

[sideshowbarker]

whatwg/xhr#322 drops the sync-xhr policy-controlled feature from XHR.

There are two references to the sync-xhr feature that should therefore be be replaced in the Permissions Policy spec:

webappsec-permissions-policy/index.bs

Lines 544 to 547 in ab4fa82

	new_frame.allow = 'sync-xhr';
	// This will be true, as the iframe is allowed to use sync-xhr at whatever URL is
	// mentioned in its src attribute, even though that attribute is not yet set.
	const is_sync_xhr_allowed = new_frame.permissionsPolicy.allowsFeature('sync-xhr');

webappsec-permissions-policy/index.bs

Lines 1106 to 1129 in ab4fa82

	<div class="example">
	<p>As a practical (though contrived) example, consider a document which uses
	synchronous XMLHttpRequest to determine whether a user has sufficient
	privileges to access the page:</p>
	<pre>
	&lt;!DOCTYPE html&gt;
	&lt;h1&gt;Welcome to SecureCorp!&lt;/h1&gt;
	&lt;script&gt;
	var req = new XMLHttpRequest();
	req.open("GET", "/api/security_check.json", false);
	req.send();
	if (req.response == "untrusted user") {
	// User is not logged in; redirect to a safe page
	location.href = "/security_check_failed.html";
	}
	&lt;/script&gt;
	&lt;!-- Page continues with assumption that user is logged in --&gt;
	</pre>
	<p>If this document is embedded by a page which disables the
	"<code>sync-xhr</code>" feature, the call to `XMLHttpRequest.open()` would
	fail, and the security check would be bypassed.</p>
	</div>