Whitelist the openLoginForm and openSidebar settings as being readable
from the host page even when the client is in a browser extension.

When you first install the Chrome extension it opens the /welcome page
in a tab, and it injects the openLoginForm and openSidebar settings into
the /welcome page in order to get the sidebar and login form to
automatically open on that page.

A previous change to prevent the Chrome extension from reading settings
from the page broke this /welcome page behaviour.

Fix it again by whitelisting the two required settings.

Of course this means that any page on the internet, not just the
/welcome page, and control these two settings, which is not what we
want, but it will do for now.