Configure ureq to use platform-verifier for web assets (#20825)

# Objective

- Fixes #20803
- See issue for motivations on this change


## Solution

- Use ureq's `platform-verifier` feature and enable it in the agent
config.

I've gone the simple route and made this non-configurable, for now at
least.

The downside of this change is that you can longer use webpki-roots but
if bevy only supports one certificate verification method then I think
platform-verifier is the more sensible option.

## Testing

- Tested the web_asset example on Windows and macOS

Author: jf908

crates/bevy_asset/Cargo.toml

@@ -15,7 +15,7 @@ file_watcher = ["notify-debouncer-full", "watch", "multi_threaded"]
 embedded_watcher = ["file_watcher"]
 multi_threaded = ["bevy_tasks/multi_threaded"]
 http = ["blocking", "ureq"]
-https = ["blocking", "ureq", "ureq/rustls"]
+https = ["blocking", "ureq", "ureq/rustls", "ureq/platform-verifier"]
 web_asset_cache = []
 asset_processor = []
 watch = []

crates/bevy_asset/src/io/web.rs

@@ -138,9 +138,19 @@ async fn get(path: PathBuf) -> Result<Box<dyn Reader>, AssetReaderError> {
     if let Some(data) = web_asset_cache::try_load_from_cache(str_path).await? {
         return Ok(Box::new(VecReader::new(data)));
     }
+    use ureq::tls::{RootCerts, TlsConfig};
     use ureq::Agent;
 
-    static AGENT: LazyLock<Agent> = LazyLock::new(|| Agent::config_builder().build().new_agent());
+    static AGENT: LazyLock<Agent> = LazyLock::new(|| {
+        Agent::config_builder()
+            .tls_config(
+                TlsConfig::builder()
+                    .root_certs(RootCerts::PlatformVerifier)
+                    .build(),
+            )
+            .build()
+            .new_agent()
+    });
 
     let uri = str_path.to_owned();
     // Use [`unblock`] to run the http request on a separately spawned thread as to not block bevy's