/openapi should provider CORS headers

[rafabene]

Since CORS support is not mandatory in the specification, I've seen some implementations that doesn't use CORS headers on /openapi.

However, tools like Swagger presents the following error message when consuming a MP application with OpenAPI without CORS headers: "Possible cross-origin (CORS) issue? The URL origin (http://localhost:8080) does not match the page (http://localhost). Check the server returns the correct 'Access-Control-Allow-*' headers."

This issue is to request that CORS headers should be mandatory to enable tools like Swagger-UI to consume /openapi endpoint.

[EricWittmann]

We'll discuss this in the next hangout.

[phillip-kruger]

Quarkus does have it in the vert.x router.

[EricWittmann]

@phillip-kruger confirmed that Quarkus has CORS enabled for the /openapi endpoint but we'll need to double check on Thorntail and WildFly. We discussed this on the call today and we are not convinced that CORS is something the spec should be mandating. So I think we're inclined to close this as rejected, unless @MikeEdgar or @arthurdm (or anyone else) have dissenting opinions.

[MikeEdgar]

I agree, this can be handled in implementations

[MikeEdgar]

Closing issue. As noted in earlier comments, this is something that will continue to be not included in the specification.

[Emily-Jiang]

@MikeEdgar I think it will be a good support for CORS header though. @tjquinno what do you think?

[Emily-Jiang]

@MikeEdgar I reopened this issue for further discussion. If we all think it is not something we should spec, we can then close it.