Reciprocating a `Cross-Origin-Embedder-Policy` (COEP) of `require-corp`

[jbcaprell]

This is a little niche, but I think maybe this:

phoenix_live_reload/lib/phoenix_live_reload/live_reloader.ex

Line 128 in 43b923b

|> put_resp_content_type("text/html")

… should be expanded to:

    |> merge_resp_headers([
      {"content-type", "text/html; charset=utf-8"},
      {"cross-origin-embedder-policy", "require-corp"},
      {"cross-origin-resource-policy", "cross-origin"}
    ])

… in order to allow for the target to set a Cross-Origin-Embedder-Policy of require-corp.

You can, I’ll note, make this square in Chrome as of January by setting iframe_attrs: [credentialless: "true"] as part of a given Endpoint’s :live_reload configuration, but that’s only true in Chrome. This seems to me like the more back-of-the-fence fix.