Pass `app` parameter to Ratings API call

[diox]

It's not currently documented (will be in https://github.com/mozilla/addons/issues/1910) but you can pass the app parameter to the Ratings API (it can actually be passed to all our APIs...). This might not seem useful, but it is because the ratings API can return URLs for ratings authors. If that URL is exposed or followed by the frontend, then we risk accidentally exposing/following an URL meant for a different app (using a link meant for Firefox when we're on Android, or vice-versa).

There is no guarantee what app will be used when building URLs on addons-server when you don't pass an app parameter, because the User-Agent of the request is used, but it's not part of the CDN cache key for the API, so you could get a cached response originally built for a different User-Agent, resulting in the wrong URL being returned

It's extremely minor at the moment because we're only showing user URLs for admins, who are logged in and therefore bypassing CDN cache, so they'd see URLs matching their User-Agent. Still, it would be safer to just pass the app to Ratings API calls.

┆Issue is synchronized with this Jira Task

[KevinMind]

Old Jira Ticket: https://mozilla-hub.atlassian.net/browse/ADDFRNT-111