Get proper same-origin behaviour when loading modules

The browsers currently do not default to same-origin behaviour for
modules, so we need to be explicit in order for necessary
credentials to be passed along. This seems to be changing though,
but we need to wait for the browsers to actually roll out more
lenient defaults:

https://github.com/whatwg/fetch/pull/585

vnc.html

@@ -78,7 +78,7 @@
         });
     </script>
     <!-- actual script modules -->
-    <script type="module" src="app/ui.js"></script>
+    <script type="module" crossorigin="anonymous" src="app/ui.js"></script>
     <!-- end scripts -->
 </head>
 

vnc_lite.html

@@ -74,7 +74,7 @@
     </script>
 
     <!-- actual script modules -->
-    <script type="module">
+    <script type="module" crossorigin="anonymous">
         // Load supporting scripts
         import * as WebUtil from './app/webutil.js';
         import RFB from './core/rfb.js';