Protect service JSONP responses against "Rosetta Flash" vulnerability.

The so-called "Rosetta Flash" vulnerability is that allowing arbitrary
yet identifier-like text at the beginning of a JSONP response is
sufficient for it to be interpreted as a Flash file executing in that
origin. See for more information:
http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/

All JSONP responses from Caja services now:
* are prefixed with "/**/", which still allows them to execute as JSONP
  but removes requester control over the first bytes of the response.
* have the response header Content-Disposition: attachment.

Another recommended mitigation, "X-Content-Type-Options: nosniff", was
already present.

This change includes a backport of r5619 "Convert fetching proxy tests
to client-side tests." which was previously skipped, so as to simplify
applying the same fix to the ES5 branch.

Bug: <https://code.google.com/p/google-caja/issues/detail?id=1923>

@r5698

[kpreid_google, 2014-08-05 23:37:50]

The so-called "Rosetta Flash" vulnerability is that allowing arbitrary
yet identifier-like text at the beginning of a JSONP response is
sufficient for it to be interpreted as a Flash file executing in that
origin. See for more information:
http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/

All JSONP responses from Caja services now:
* are prefixed with "/**/", which still allows them to execute as JSONP
  but removes requester control over the first bytes of the response.
* have the response header Content-Disposition: attachment.

Another recommended mitigation, "X-Content-Type-Options: nosniff", was
already present.

This change includes a backport of r5619 "Convert fetching proxy tests
to client-side tests." which was previously skipped, so as to simplify
applying the same fix to the ES5 branch.

Bug: <https://code.google.com/p/google-caja/issues/detail?id=1923>

[felix8a, 2014-08-06 00:14:44]

lgtm.