Add modal confirmation dialog to folder upload

Before this change <input webkitdirectory/> contains a severe security
hole as tricking the user to hold ENTER is sufficient to share a large
swath of their filesystem (for Windows this is usually Desktop).

The exploit works as follows:

1. A site tricks the user into holding ENTER (this is trivial).
2. While detecting that the user is holding ENTER, trigger a hidden
   <input webkitdirectory/> field (input.click()).
3. The folder picker is shown but accepted instantly, which gives the
   site read access to whatever happens to be selected. On my Windows
   machine I've observed this to be the Desktop, but I've seen other
   selections as well (maybe the user folder).

To prevent sharing files without the user's consent this change
introduces a modal interstitial that:

1. Tells the user what's about to be shared (N files, from directory X).
2. Advises the user only to do this for sites they trust.
3. Defaults to Cancel so that the example gesture laundering does not
   work.

This method has a couple of benefits. It provides additional information
to the user which might accidentally have selected the wrong folder and
is about to upload more files than intended. It doesn't rely on
OS-specific behavior, so it provides level protection everywhere. It
also has a lower maintenance cost as it doesn't need to be added for new
platforms or updates to existing OS APIs.

There's opportunity for better laundering protection (such as preventing
the dialog from being accepted too quickly), but the attack surface is
significantly smaller with this mitigation implemented.

According to usage counters <input webkitdirectory/> is used for <0.001%
of page loads (below the consideration-for-deprecation threshold), which
makes the interruption fairly low while providing significant additional
protection against a malicious attacker.

Bug: chromium:637098
Change-Id: I8ac43f8a61cd4476f581b9e57b07cdf88e28f85c
Reviewed-on: https://chromium-review.googlesource.com/929809
Reviewed-by: Scott Violet <sky@chromium.org>
Commit-Queue: Peter Boström <pbos@chromium.org>
Cr-Commit-Position: refs/heads/master@{#538590}
10 files changed