ServerConfiguration should let admins configure CORS

[JonLatane]

Currently CORS headers are served with the absolute max permissiveness. Admins should be able to switch between Blocklist and Allowlist modes, choosing to block/allow sets of domains. Add these to ServerConfiguration models, and give the admin a simple UI in the Server Details Screen in Tamagui and/or the Server Configuration Page in Flutter.

AC:

• A new optional boolean strict_cors field should be added to the FederationInfo of the ServerConfiguration in server_configuration.proto.

• Add a <Switch ... /> named "Strict CORS" with a description of "Only permit Web access from Federated Servers. This has no effect on native apps." to the UI to toggle this on/off in ServerDetailsScreen's "Federation" section, below the list of federated servers:
  

• When that flag is turned on, create and pass a CorsLayer to Tonic (the gRPC server) based here, instead of just CorsLayer::permissive(). It should only allow access to the gRPC APIs referenced by the repeated FederatedServer servers in FederationInfo.

• (Strech goal; could be done in a second "Secure Web and Media with CORS" task.) Configure Rocket (the HTTP web/media server component) to also send CORS headers based on the FederationInfo.