Performance and security improvements

[duncanplatt]

Summary

Performance

• Fix onUpdated event filter not being applied — the property filter
  object was outside the addListener() parentheses (comma expression),
  so every tab update fired the handler instead of only the six listed
  properties
• Replace busy-wait polling with exponential backoff — all while loops
  that spun on getTabValue/getActiveId with no delay now use bounded
  retries (5ms→10ms→20ms…) with timeouts, eliminating CPU spinning and
  potential infinite hangs
• Add tabs.warmup() on tab hover — pre-renders GPU resources when the
  user hovers a thumbnail, making subsequent tab switches faster
• Replace (new Date).getTime() with Date.now() across the codebase

Security

• Add explicit content_security_policy to manifest.json (matches
  Firefox default but makes the policy explicit)
• Remove unused cookies permission — reduces attack surface
• Fix undeclared tab variable in remove() — missing const caused a
  strict-mode ReferenceError that silently broke the "were tabs actually
  closed?" verification
• Validate message sender — background message handler now rejects
  messages from external extensions via sender.id check
• Add error handling for JSON.parse (backup restore) and decodeURI
  (tab tooltips) to prevent crashes on malformed input

Test plan

• Open Panorama View and verify tab groups display correctly
• Create, rename, and remove tab groups
• Hover over tab thumbnails, then click to switch — confirm switching
  feels responsive
• Drag tabs between groups
• Move tabs between windows and confirm they appear in the correct group
• Use keyboard shortcuts to cycle through groups (Ctrl+Alt+W / Q)
• Save and restore a backup file
• Attempt to load a non-JSON file as backup — should show error, not crash
• Verify on both Firefox < 138 (polyfill path) and Firefox ≥ 138 (native
  tabGroups API) if possible