Allow cross-origin requests to access public content endpoint #1011
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This addresses #1006
This sets a
Access-Control-Allow-Origin: *
header on HTTP responses to the show endpoint, this will allow requests to this API to originate (via JS) from hosts other than www.gov.uk.The reason for adding this is resolve the issue raised on GitHub 1006 1. GOV.UK doesn't directly need this as it doesn't make use of client side requests to the Content Store and, if it did, they'd be from the same host. However this is added in to reflect that this is indeed a partially supported public API 2 and that we are not concerned with JS clients calling it from a different host.
I only put this on the one endpoint as there didn't seem to be any need to have it on endpoints other than ContentItems#show. I also didn't implement the HTTP OPTIONS method for the endpoint as I don't think it's strictly needed and can't see evidence of this enabled on other GOV.UK cross-origin endpoints:
➜ ~ curl -sI -X OPTIONS https://www.gov.uk/api/search.json\?fields\=publishing_app\&filter_publishing_app\=publisher\&filter_first_published_at\=from:2022-09-01,to:2022-09-30 | grep HTTP HTTP/2 404