fix(electron): embeded youtube videos not playable (#12892)

#### PR Dependency Tree


* **PR #12892** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **Bug Fixes**
- Improved handling of CORS headers to ensure they are only removed for
responses from non-whitelisted domains, enhancing compatibility with
certain sites.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->


#### PR Dependency Tree


* **PR #12892** 👈
  * **PR #12895**

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

packages/frontend/apps/electron/src/main/protocol.ts

@@ -97,6 +97,13 @@ async function handleFileRequest(request: Request) {
   return net.fetch(pathToFileURL(filepath).toString(), clonedRequest);
 }
 
+// whitelist for cors
+// url patterns that are allowed to have cors headers
+const corsWhitelist = [
+  /^(?:[a-zA-Z0-9-]+\.)*googlevideo\.com$/,
+  /^(?:[a-zA-Z0-9-]+\.)*youtube\.com$/,
+];
+
 export function registerProtocol() {
   protocol.handle('file', request => {
     return handleFileRequest(request);
@@ -108,7 +115,7 @@ export function registerProtocol() {
 
   session.defaultSession.webRequest.onHeadersReceived(
     (responseDetails, callback) => {
-      const { responseHeaders } = responseDetails;
+      const { responseHeaders, url } = responseDetails;
       (async () => {
         if (responseHeaders) {
           const originalCookie =
@@ -146,10 +153,13 @@ export function registerProtocol() {
             }
           }
 
-          delete responseHeaders['access-control-allow-origin'];
-          delete responseHeaders['access-control-allow-headers'];
-          delete responseHeaders['Access-Control-Allow-Origin'];
-          delete responseHeaders['Access-Control-Allow-Headers'];
+          const hostname = new URL(url).hostname;
+          if (!corsWhitelist.some(domainRegex => domainRegex.test(hostname))) {
+            delete responseHeaders['access-control-allow-origin'];
+            delete responseHeaders['access-control-allow-headers'];
+            delete responseHeaders['Access-Control-Allow-Origin'];
+            delete responseHeaders['Access-Control-Allow-Headers'];
+          }
         }
       })()
         .catch(err => {