FEATURE: allow for local theme js assets (#16374)

Due to default CSP web workers instantiated from CDN based assets are still
treated as "same-origin" meaning that we had no way of safely instansiating
a web worker from a theme.

This limits the theme system and adds the arbitrary restriction that WASM
based components can not be safely used.

To resolve this limitation all js assets in about.json are also cached on
local domain.

{
  "name": "Header Icons",
  "assets" : {
    "worker" : "assets/worker.js"
  }
}

This can then be referenced in JS via:

settings.theme_uploads_local.worker

local_js_assets are unconditionally served from the site directly and
bypass the entire CDN, using the pre-existing JavascriptCache

Previous to this change this code was completely dormant on sites which
used s3 based uploads, this reuses the very well tested and cached asset
system on s3 based sites.

Note, when creating local_js_assets it is highly recommended to keep the
assets lean and keep all the heavy working in CDN based assets. For example
wasm files can still live on the CDN but the lean worker that loads it can
live on local.

This change unlocks wasm in theme components, so wasm is now also allowed
in `theme_authorized_extensions`

* more usages of upload.content

* add a specific test for upload.content

* Adjust logic to ensure that after upgrades we still get a cached local js
on save

spec/models/upload_spec.rb

@@ -204,6 +204,13 @@ describe Upload do
         setup_s3
       end
 
+      it "can download an s3 upload" do
+        stub_request(:get, upload.url)
+          .to_return(status: 200, body: "hello", headers: {})
+
+        expect(upload.content).to eq("hello")
+      end
+
       it "should return the right upload when using base url (not CDN) for s3" do
         upload
         expect(Upload.get_from_url(upload.url)).to eq(upload)