Always use OAuth if cookie storage is blocked

If third party cookies are blocked then OAuth is the only option for
authentication. Third party cookies may be blocked either by
privacy-enhancing extensions or browser settings, for example:

In Safari:
 1. Go to Settings -> Privacy
 2. Set "Cookies and website data" to "Allow from current website only"

In Chrome:
 1. Go to chrome://settings/content/cookies
 2. Enable "Block third-party cookies"
 3. Check that the h service domain is not listed under "Allow", which
    is something that the Hypothesis extensions do automatically.

Once OAuth has been shipped for all users, this code can be deleted.

src/sidebar/app.js

@@ -109,10 +109,24 @@ function processAppOpts() {
   }
 }
 
+function canSetCookies() {
+  // Try to add a short-lived cookie. Note the `document.cookie` setter has
+  // unusual semantics, this doesn't overwrite other cookies.
+  document.cookie = 'cookie-setter-test=1;max-age=5';
+  return document.cookie.indexOf('cookie-setter-test=1') !== -1;
+}
+
 function shouldUseOAuth() {
   if (serviceConfig(settings)) {
+    // If the host page supplies annotation service configuration, including a
+    // grant token, use OAuth.
+    return true;
+  }
+  if (!canSetCookies()) {
+    // If cookie storage is blocked by the browser, we have to use OAuth.
     return true;
   }
+  // Otherwise, use OAuth only if the feature flag is enabled.
   return settings.oauthClientId && settings.oauthEnabled;
 }