NOTE: this PR isblocked; we want to first introduce this feature to port shares, as it has transpired that that use-case is far more common. It would be awkward to get this PR into the next release but not for port shares, so we're keeping this one on hold.

This PR introduces a partial fix for#15096; it allows operators to specify the CORS behavior on a per-coder_app level.

This change requirescors_behavior to be set on a givencoder_app;coder/terraform-provider-coder#309 introduces that new attribute.

coderd currently handles CORS automatically by handling preflight requests and stripping CORS headers from upstreamcoder_app responses.

Two CORS behaviors are defined in this PR:

• simple: the current behavior of handling CORS withincoderd
• passthru:new behavior which transparently bypasses our CORS handling incoderd so thecoder_app service is then fully responsible for handling CORS

We plan to further add this behavior toport shares.

The sharing level (owner,authenticated,public) is still respected, regardless of CORS behavior.