backend: allow cross domain queries. wildcard CORS.

[jpierre03]

CORS is a set of rules checked by browers and application servers to retrict access to ressources by domain/@ip...
Without correct http header, the browser discard data retreived from backend.

• allow frontend to query backend whather the domain = no restriction on
  domain
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

[domenkozar]

Thanks! This is needed only for development since frontend and backend are on different ports. I'd rather use something like https://github.com/Enlambda/nix-channelstatus/blob/master/frontend/webpack.config.js#L40

[expipiplus1]

@jpierre03 Thank's for getting involved! If you're an IRC user please join us in #nixos-hercules on freenode!

[jpierre03]

@domenkozar ok. But backend sould also handle CORS

@expipiplus1 :) Does a config file option to set CORS allowed domain is a good idea ?
If true, I can rework on this PR.

[expipiplus1]

@jpierre03, this isn't really my domain, ho ho.

I'm happy to go with whatever you think is best as long as @domenkozar agrees.

[domenkozar]

CORS is a collection of headers to tell the browser how to deal with cross-browser AJAX requests.

If someone is on a different domain than where API is hosted, this PR will allow it (meaning any domain) to query our API.

I'm not sure about all implications about this, we should be careful setting such wide spectrum default. @jpierre03 why do you think this is useful?

[domenkozar]

On second thought, we could whitelist all apis that don't require the host and hardcode those that are protected. Need to think more about the use cases, but I wouldn't want to make any decisions in the early stage.

[domenkozar]

So here's the PR for development: #36