FIX: Ensure app-cdn CORS is not overridden by cors_origin setting (#24661)

We add `Access-Control-Allow-Origin: *` to all asset requests which are requested via a configured CDN. This is particularly important now that we're using browser-native `import()` to load the highlightjs bundle. Unfortunately, user-configurable 'cors_origins' site setting was overriding the wldcard value on CDN assets and causing CORS errors.

This commit updates the logic to give the `*` value precedence, and adds a spec for the situation. It also invalidates the cache of hljs assets (because CDNs will have cached the bad Access-Control-Allow-Origin header).

The rack-cors middleware is also slightly tweaked so that it is always inserted. This makes things easier to test and more consistent.

spec/requests/highlightjs_controller_spec.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+RSpec.describe HighlightJsController do
+  it "works via the site URL" do
+    get HighlightJs.path
+    expect(response.status).to eq(200)
+    expect(response.body).to include("export default function")
+    expect(response.headers["Access-Control-Allow-Origin"]).to eq(nil)
+  end
+
+  it "works via a CDN" do
+    cdn = "https://original-app-cdn.example.com"
+    set_cdn_url cdn
+
+    get "#{cdn}#{HighlightJs.path}"
+    expect(response.status).to eq(200)
+    expect(response.body).to include("export default function")
+    expect(response.headers["Access-Control-Allow-Origin"]).to eq("*")
+  end
+
+  it "works via a CDN when site has cors configuration" do
+    cdn = "https://original-app-cdn.example.com"
+    set_cdn_url cdn
+
+    global_setting :enable_cors, true
+    SiteSetting.cors_origins = "https://example.com"
+
+    get "#{cdn}#{HighlightJs.path}"
+    expect(response.status).to eq(200)
+    expect(response.body).to include("export default function")
+    expect(response.headers["Access-Control-Allow-Origin"]).to eq("*")
+  end
+end