js: Enable cross-origin error debugging with crossorigin="anonymous".

If the script comes from a different origin than the requesting page,
and is not marked `crossorigin="anonymous"`, the `window.onerror`
handler receives no information other than "Script error." in the
event of a runtime error.

This effectively silences blueslip errors in development if the user
is developing on a remote host (such as a DigitalOcean droplet), since
static resources are served from `hostname.zulipdev.org`, and the
realm is served from `realmname.hostname.zulipdev.org`.  It also
silenced blueslip reporting in production for any non-default (non-"")
realms.  Sentry reporting, Vagrant developments, and truly ancient or
insecure browsers were unaffected.

Add the necessary `crossorigin="anonymous"` attribute to the
`<script>` tag to allow blueslip access to this error information.

templates/zerver/base.html

@@ -28,7 +28,7 @@
                 {% if filename.endswith(".css") -%}
                     <link href="{{ filename }}" rel="stylesheet" {% if csp_nonce %}nonce="{{ csp_nonce }}"{% endif %} />
                 {% elif filename.endswith(".js") -%}
-                    <script src="{{ filename }}" defer {% if csp_nonce %}nonce="{{ csp_nonce }}"{% endif %}></script>
+                    <script src="{{ filename }}" defer crossorigin="anonymous" {% if csp_nonce %}nonce="{{ csp_nonce }}"{% endif %}></script>
                 {% endif -%}
             {% endfor %}
         {% endblock %}

web/webpack.config.ts

@@ -171,6 +171,7 @@ export default (
                   // (https://github.com/webpack/webpack/issues/11937)
                   (pathData) => "files" + path.join("/", pathData.filename!),
             chunkFilename: production ? "[contenthash].js" : "[id].js",
+            crossOriginLoading: "anonymous",
         },
         resolve: {
             ...baseConfig.resolve,