fix(http): enable unsafe-headers feature on tauri-plugin-http

Without this Cargo feature, plugin-http silently drops user-supplied
"forbidden" headers (Origin, Referer, User-Agent) before they reach
reqwest, even when set explicitly via the JS fetch() options. This is
why the Origin/Referer added to TauriHlsLoader in 542b2d4 had no
effect on Windows: Twitch's CDN edges 403 anything that's not a
twitch.tv origin (verified from PowerShell that whitelisted
*.twitch.tv origins return 200 while http://tauri.localhost returns
403), and our headers were being filtered out on the way through.

With unsafe-headers enabled, the headers we set in TauriHlsLoader
reach the wire as-is.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: kernoeb

src-tauri/Cargo.toml

@@ -20,7 +20,7 @@ tauri-build = { version = "2", features = [] }
 tauri = { version = "2", features = ["macos-private-api"] }
 tauri-plugin-opener = "2"
 tauri-plugin-shell = "2"
-tauri-plugin-http = "2"
+tauri-plugin-http = { version = "2", features = ["unsafe-headers"] }
 tauri-plugin-store = "2"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"