Sharpen point about promises and permissions

[martinthomson]

@jyasskin observes:

Interestingly, https://w3ctag.github.io/design-principles/#promises says "An API might need to be asynchronous if ... the user agent needs to prompt the user for permission," but omits the idea that you should make things asynchronous just in case.

One thing that we've understood to be true is that -- when an API involves capabilities that might involve privilege escalation, access to special capabilities, or user consent in any way -- that API should return a promise rather than returning immediately. Even in cases where the expectation is that the capability is going to be automatically granted, we need to leave space for different user agents to perform some amount of validation/checking, including asking for permission.

We should put something like that down.

There are a lot of places where we failed here. Popup windows are one. Pixel reading from Canvas is another.

[dbaron]

Side comment: it's possible pixel reading from canvas should have involved promises for other reasons too: in some cases it may involve readback from data stored by the GPU, which I think can be expensive or slow. (I'm not sure that making it asynchronous would help reduce the cost here, but I think it's plausible that it might have.)