docs(files): note CORS_EXPOSED_HEADERS requirement for TUS Directus-File-Id

[singhvishalkr]

Fixes #599.

v11.16+ returns the uploaded file's ID in a Directus-File-Id response header after a TUS chunked upload. When the frontend is on a different origin from the API, browsers don't expose that header to JavaScript unless it's listed in Access-Control-Expose-Headers, so reading the ID from xhr.getResponseHeader('Directus-File-Id') silently returns null.

I hit this myself and spent a while staring at the Network tab before finding the issue, which is also the exact gotcha the report describes. ComfortablyCoding confirmed on the issue that the right fix is documentation -- not a default change -- so I added a small callout in the existing Chunked Uploads section pointing at CORS_EXPOSED_HEADERS on the Security & Limits page.

No variable or behavior changes, just the note.

[vercel]

@singhvishalkr is attempting to deploy a commit to the Directus Team on Vercel.

A member of the Team first needs to authorize it.

[singhvishalkr]

Superseded by the earlier #639 in this same session, which also calls out the same-origin exclusion and the comma-separated CORS_EXPOSED_HEADERS shape; closing this one to avoid double review. Tracking on #639.