Allow spin.alt host for self-requests

[itowlson]

This is a proposal to address fermyon/spin-js-sdk#298.

The issue there is that JS guests use the inbuilt fetch function to make HTTP requests. If fetch sees a URL without a host, it helpfully prepends the host it thinks it's running on before letting Spin see it. So for a self-request such as fetch("/back"), Spin sees http://localhost:3000/back or whatever. Which is not on the allow list so gets the banhammer.

This PR reluctantly compromises with fetch by allowing self-requests via the pseudo-host self.alt. So if you do fetch("http://self.alt/back"), Spin will treat it as a self-request: it will validate permission using the self-request permission and route it as a self request.

The developer experience is, admittedly, not very lovely. But it hopefully gives JS folks an escape hatch.

Notes for reviewers:

• Self-request permission is still given via allowed_outbound_hosts = ["http://self"], not http://self.alt. Should we allow self.alt as another way of expressing the same permission?
• I implemented this only in wasi-http because that's what JS goes through. Should I implement it in spin-http too? It looked faffier there because of the way the types line up, but certainly do-able.

[karthik2804]

@itowlson this overall looks good, an alternate suggestion that came up during the original PR adding this feature also seems to indicate that this will benefit go.
#1710 (comment)