The current protocol for signed request requires the use of the Date HTTP
header. Although this works fine for clients that have full control over the
HTTP headers they send, this is not working in the context of web browser where
the Date HTTP headers are forbidden to be programmatically set (and therefore
used in any meaningful way)
https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name

In general, this change enables the specification of a prioritized list of
alternative for headers. In particular for the Date header, this change
specifies a the list ['X-Cubicweb-Date', 'Date'] as an alternative to the Date
header; meaning that when looking for the Date header, one should first look
at the X-Cubicweb-Date header, and then if not present at the Date header. Doing
so, it should be possible to emit signed requests from the context of a browser
by specifying a X-Cubicweb-Date header, overriding the Date header that the
browser may or may not set by itself.