Heap: add support for secureCookie option

[chrismear]

What does this PR do?

Adds support for passing Heap's secureCookie option to window.heap.load.

Are there breaking changes in this PR?

I don't believe so, but I'm not super-familiar with this repo.

Any background context you want to provide?

Heap have added an optional secureCookie option, in response to the SameSite changes instigated by Chromium in 2020.

Users need to set this to true if their product is ever served in an iframe, otherwise incorrect session counting will occur in Heap due the SameSite cookie-handling changes. But we can't just set this to true for everyone by default, because that causes incorrect session counting in Heap for users whose product is served over both HTTP and HTTPS. So, this needs to be a user-defined option.

Is there parity with the server-side/android/iOS integration components (if applicable)?

Not applicable — this is a setting related to web cookies set by Heap's client-side JS library.

Does this require a new integration setting? If so, please explain how the new setting works

Yes. A new boolean setting, secureCookie, defaulted to false. Setting this to true instructs Heap to set SameSite=None;Secure on its cookie(s), which is necessary for Heap to work correctly when the users' product is hosted in an iframe.

Links to helpful docs and other external resources

https://help.heap.io/getting-started/installation-guides/web/#iframes https://help.heap.io/getting-started/installation-guides/web/#securecookie https://docs.heap.io/docs/heapjs-changelog#490---2020-05-11 https://www.chromium.org/updates/same-site