Continues#15669

This PR introduces a partial fix for#15096; it allows operators to specify the CORS behavior on a per-coder_app level.

This change requirescors_behavior to be set on a givencoder_app;coder/terraform-provider-coder#309 introduces that new attribute.

coderd currently handles CORS automatically by handling preflight requests and stripping CORS headers from upstreamcoder_app responses.

Two CORS behaviors are defined in this PR:

• simple: the current behavior of handling CORS withincoderd
• passthru:new behavior which transparently bypasses our CORS handling incoderd so thecoder_app service is then fully responsible for handling CORS

We plan to further add this behavior toport shares.

The sharing level (owner,authenticated,public) is still respected, regardless of CORS behavior.