Revise cookie 'secure flag' enable condition

The localhost is 'potentially trustworthy' and RFC 6265 allows setting secure flag in this case.
Also check `X-Forwarded-Proto` header value to support reverse proxy usage.

Note: for reverse proxy users, now the `X-Forwarded-Proto` header is expected to be sent to qbt
otherwise the `secure` flag might be set erroneously.

https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.2.5
https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy

Closes #21250.
PR #21260.

src/gui/optionsdialog.ui

@@ -3675,7 +3675,7 @@ Specify an IPv4 or IPv6 address. You can specify "0.0.0.0" for any IPv
                   <item>
                    <widget class="QCheckBox" name="checkSecureCookie">
                     <property name="text">
-                     <string>Enable cookie Secure flag (requires HTTPS)</string>
+                     <string>Enable cookie Secure flag (requires HTTPS or localhost connection)</string>
                     </property>
                    </widget>
                   </item>