Implement speculative loading considerations for safer behavior

[felixarntz]

Summary

Fixes #1157

Relevant technical choices

• Disables speculative loading completely for logged-in users.
  • This is in line with the already present exclusions for wp-admin and wp-login.php.
• Excludes URLs with query parameters when pretty permalinks are enabled and disables speculative loading completely by default if pretty permalinks are disabled.
  • A filter can be used to opt in to speculative loading even without pretty permalinks. In this case the query parameter exclusion does not apply, so it is more risky - hence it's opt-in for such sites.
• Changes the /wp-login.php URL exclusion to /wp-*.php, as there are other files in the WordPress root directory that may be directly accessed and are safer to exclude, e.g. wp-activate.php and wp-signup.php (relevant mostly for Multisite).
  • Of course we could instead exclude the specific URLs, but a wildcard for this is easier to maintain and has no adverse effects.

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: felixarntz <flixos90@git.wordpress.org>
Co-authored-by: westonruter <westonruter@git.wordpress.org>
Co-authored-by: AntonyXSI <antonynz@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[westonruter]

The readme should probably be updated to note the new restrictions, in particular for the authentication requirement.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 57.48%. Comparing base (4693bee) to head (4898dfc).
Report is 12 commits behind head on trunk.

Additional details and impacted files

@@            Coverage Diff             @@
##            trunk    #1784      +/-   ##
==========================================
+ Coverage   57.42%   57.48%   +0.06%     
==========================================
  Files          84       84              
  Lines        6506     6516      +10     
==========================================
+ Hits         3736     3746      +10     
  Misses       2770     2770              

Flag	Coverage Δ
multisite	57.48% <100.00%> (+0.06%)	⬆️
single	34.51% <60.00%> (+0.03%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.