Description

This PR fixes three closely related issues in the GM_xmlhttpRequest implementation to improve compatibility with Tampermonkey (TM), prevent memory leaks, and handle Trusted Types Policy (TTP) environments safely.

Changes

• Non-enumerable response getters
  response, responseText and responseXML are now defined with non-enumerable getters (enumerable: false), matching Tampermonkey behavior.
  This prevents Object.assign({}, response), JSON.stringify(response), or similar operations from unintentionally triggering getters or exposing internal state.

• Memory leak fix via weak references
  Internal state is now managed through a WeakMap. Getters are attached lazily only after readyState === 4.
  This allows the garbage collector to reclaim memory once the consumer no longer references the response/XHR object, eliminating closure-induced leaks.

• Safe fallback for responseXML in TTP-restricted pages
  When DOMParser.parseFromString() fails due to Trusted Types violations (or other parse errors), responseXML now returns null instead of throwing.
  This matches Tampermonkey's observed behavior in restricted environments.

Related issues

• Closes [BUG] 未与 TM 对齐： DOMPraser 失败时 responseXML 应设为 null 而非 crash #1240
• Closes [BUG] response, responseXML, ... 的 enumerable 及 configurable 未与 TM 对齐 #1241

#1239 is a combination symptom of #1240 + #1241 (only reproducible when both conditions are met)

Important notes

• This PR does not attempt to bypass or work around Trusted Types restrictions.
• Scriptcat aligns strictly with Tampermonkey & Violentmonkey behavior in TTP-protected pages.
• No new dependencies or large refactors — change is localized to the GM_xmlhttpRequest logic.