Mark embedded resources as cross-origin for session recordings.

Bug description

While building my web app I want to take security seriously. In the OWASP recommended security headers it says to specify Cross-Origin-Embedder-Policy: require-corp. This entails that embedded resources cannot be loaded unless either the server (PostHog servers) set Cross-Origin-Resource-Policy: cross-origin OR the client library must set the crossorigin attribute on any HTML elements that tries embedding something. This last option means that requests will be made without "credentials" (e.g. cookies).

Right now I can't use PostHog session recordings without allowing ALL (implicit) cross-origin embeds.

Some might argue that the chances of somebody injecting and embedding a malicious URL in the age of built-in HTML escaping and URL sanitizers are low, but I'd also think the same for most of the other points in OWASP Top 10 and yet people fail at it enough times for this recommendation to end up in a top 10.

Error Message (and URL): GET https://eu-assets.i.posthog.com/static/recorder.js?v=1.128.1 net::ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep 200 (OK)

How to reproduce

Create a PostHog project.
Copy the install script.
Enable Session recording.

Ensure your server sets

Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy same-origin

Note, if a Content-Security-Policy is set, the frame-src also needs to be configured to allow posthog sources. This is already in my control though, the other two conditions in the first paragraph are not.

Debug info

- [x] PostHog Cloud
- [ ] PostHog Hobby self-hosted with `docker compose`, version/commit: [please provide]
- [ ] PostHog self-hosted with Kubernetes (deprecated, see [`Sunsetting Kubernetes support`](https://posthog.com/blog/sunsetting-helm-support-posthog)), version/commit: [please provide]

PostHog / posthog