[META] Implement stricter access checking for the media library

Problem/Motivation

In #2962525: Create a field widget for the Media library module, a new View is added for all users with the "View media" permission. There's nothing implicitly dangerous or special about this view, but as anonymous users often have the "View media" permission sites may prefer to only allow access to the view if it's opened from the widget.

1. Right now, the media library depends on a state value object derived from URL query parameters. Users are not supposed to tamper with those parameters, but we have no mechanism in place to prevent that. So we need to implement a tamper-proof hash, similar to what Media does in its IframeUrlHelper class, to prevent people from messing with the query parameters in the first place.
2. Secondly, as @marcoscano points out in #15, a permission might be too blunt of an instrument for controlling access to the media library, simply because it can potentially be used in a bunch of different places and in different ways. With a permission, a site builder would need to grant at least two permissions to authors in order to allow them to use the media library at all -- they'd need the "view media" permission, and permission to access the media reference field at all. That's a big fat DrupalWTF that we should do our best to avoid. Instead, we will implement some sort of system, probably based on the event system, to ask the opener (i.e., the field or the WYSIWYG editor in question) to allow or deny access to the media library, based on the parameters in the state object. Since the state object is central to computing access this way, we'll need the tamper-proofing in place first.
3. Finally, the media library view has two displays (grid and table), and neither can really be used without a valid state object. Yet there is nothing enforcing that constraint -- if you have the "view media" permission, you can see the media library. So we want to deny access to all displays of the media library view (except the standalone ones at /admin/content/media) if there is no valid state object present.

Proposed resolution

Fix the following issues:

• DONE: #3038241: Implement a tamper-proof hash for the media library state
• #3038254: Delegate media library access to the "thing" that opened the library
• #3038350: Deny access to all widget displays of the media library view if there is no valid state object
  

Remaining tasks

Discuss solutions and scope, write patch.

User interface changes

None.

API changes

None.

Data model changes

None.