Theme CSS not added correctly when site requires authentication to view content

In #2289683: Select in-editor theme and get all stylesheets, the code to find the theme CSS was changed to require making an HTTP request to the Drupal site itself from PHP.

This works in some situations, but not all (here's another: #2884450: Theme CSS not added correctly when PHP can't make HTTP requests to the site itself).

One is where the site requires authentication to any access content. In that case, the HTTP request to wysiwyg_theme/% will fail, because the request isn't authenticated and that page callback requires the 'access content' permission.

We could remove the access restrictions, and that'll fix the situation where only vanilla Drupal authentication is used. However, if you're using CAS (with the 'cas' module), for example, and requiring CAS login, it'll still redirect all users who didn't login via CAS to the login page. This is actually the case where I discovered this issue, and it's possible to work around by excluding the URL "wysiwyg_theme/*" in the CAS settings - however, unless you've spent a lot of time digging into this, that's a pretty difficult thing to figure out. I suspect this affects other alternate login mechanisms too, which would need to be fixed in a similar way.

Like discussed on #2884450: Theme CSS not added correctly when PHP can't make HTTP requests to the site itself, if the theme CSS were figured out via a Javascript request rather than in PHP, this wouldn't be a problem because the Javascript request would use the same session and be able to access that URL regardless of what weird authentication Drupal may be using.