[TASK] Make module requests Sec-Fetch-Dest aware

This change allows module URLs to be automatically framed by the
TYPO3 main controller whenever they are directly opened in the browser
address bar in a secure environment (e.g. https:// or .localhost TLD)
(In this case the Sec-Fetch-Dest=document is sent by browsers). See:
https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-dest-header

Note: This header is already supported by Chrome, Edge and
Firefox nightly, only Safari does not deliver this header yet. Non
supporting browsers or unsafe http connections will gracefully fallback
to showing the module contents without the TYPO3 main frame being added.
This fallback behaviour is only triggered when a link is
opened in a new tab. Regular clicks are intercepted and
directly dispatched via module-router/iframe, as before.

This change allows to render the module menu with anchor tags
instead of buttons which lets users decide how and where a
module should be opened.

Long term goal is to improve accessibility by using real
links not only in module menu (as we had in TYPO3 v7), but
actually everywhere (for example in the database record list),
in order for the user to decide whether to open a link in
the current or a new tab.
This will require enhancing FormEngine routes with module
information and is therefore out of scope for this change.

Resolves: #94084
Releases: master
Change-Id: Iaad8fe62644ec6c9cb1aaa4c92ce2e8e3eeab7bd
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69058


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>