Old service workers cached in browsers still read `data.path` from the
push notification payload. Include it alongside `data.url` so notification
clicks keep working until those service workers update.
Currently we only register the service worker in the notification
settings screen, so this won't happen very often. Once we introduce
offline mode, we'll register the service worker in more places, so we
should be able to remove this.
Add SSRF protection for web push endpoints:
- Resolve endpoint IP once and pin it for connection
- Validate endpoints resolve to public IPs
- Whitelist permitted push service hosts
Add missing IP ranges to SsrfProtection:
- 100.64.0.0/10 (Carrier-grade NAT, RFC6598)
- 198.18.0.0/15 (Benchmark testing, RFC2544)
Note: link-local (169.254.0.0/16) is already covered by ip.link_local?