Split archive browsing and administration/moderation

Along with #3951, I think there needs to be another split of swh-web: currently, it is used for both:

1. browsing (highly-untrusted) content of the archive
2. administrative stuff (save code now, add-forge ticketing, deposit, mailmaps)

This means XSS vulnerabilities in the former can grant attackers access to the latter, because they are on the same domain (shared cookies and sessions).

#4028 would make it harder to exploit this kind, but it is still a large attack surface.

See !741 (closed) and !89 (closed) for examples of such vulnerabilities, which would have had negligeable impact if privileged UIs were on a separate subdomain. (Note that, of course, issues like !99 (closed) and !1072 (closed) would not be mitigated by this; because they happen within administrative UIs)

---

Migrated from T4231 (view on Phabricator)