We stopped recommending cockpit.spawn("foo", { host: "foo" }) but we should also disallow this from the shell or cockpit-ws.

As this breaks existing consumers like RHCERT8 and an unknown set of custom user pages, we need to be careful here:

• Never break this in RHEL 8 or 9, but time it so that RHEL 10 and the current Fedora devel version has this off by default
• Provide some opt-in (in the manifest?), and only accept that for pages loaded from the same machine as the shell, not from remotely added hosts. That should mitigate most of the impact, but need to check with RHCERT folks.