Use flutter.js bootstrapping

[johnpryan]

Attempt 2 at landing #2792

This loosens the CORS header for canvaskit.wasm since we were seeing this error:

Access to fetch at 'https://dartpad.dev/canvaskit/chromium/canvaskit.wasm' from origin 'null' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

[devoncarew]

This firebase CORS config looks reasonable to me. I wonder - do we expect to need to allowlist additional resources in the future? For this filename to change?

I also don't know if we're holding flutter web uniquely, or if this resource + CORS pattern should be part of general 'hosting a flutter web app' guidance.

[johnpryan]

I think we will need to keep evaluating how we're configuring CORS and reevaluate how to simplify our configuration once we loosen things up enough to get them working.

We don't have good docs on how to configure CORS for Flutter web + Wasm, but I'm still not sure if this is a Flutter web specific configuration or if this is due to how we're sandboxing the iframe element.

cc @eyebrowsoffire @ditman @kevmoo

[ditman]

With the incoming --wasm mode, there's a whole host of "CORS cousins" that will need similar configuration + documentation, like COEP or CORP. This file is cool (but of course it depends on the hosting/CDN that the developer picks)!

[johnpryan]

Just to close the loop, this fixed the CORS error.

There's still some optimization we could do here, we are still throwing away a lot of the assets that we could be sharing between compilations, but this gets us migrated to the new bootstrapping system.

Thanks @ditman for the help!