Extend CORS support to all routes - not only preflight requests

[tmcdos]

Is your feature request related to a problem? Please describe.
Currently CORS is supported by automatically answering with a list of predefined headers to every OPTIONS request. However, this still forces me to add a header Access-Control-Allow-Origin: * to each of my routes. I find it rather tedious and cumbersome.

Describe the solution you'd like
I would suggest that CORS headers are automatically added (of course, only if the checkbox for CORS is ticked in environment settings) to each response - unless I have defined those headers in my route.

Describe alternatives you've considered
An alternative solution would be to add ability to define (in the environment settings) a list of headers that should be used as default for each route - unless the route overrides some or all of them. Even more useful would be to have a list ot checkboxes for each of these default headers so that to specify the HTTP verb this particular default header should be used on (GET, POST, PUT, etc. - plus an ALL_VERBS checkbox at the end). For example I would like all my routes to have Content-Type: application/json by default.

[255kb]

If it's ok for you, I won't change anything to the current CORS option that send Access-Control-Allow-Origin, Access-Control-Allow-Methods and Access-Control-Allow-Headers headers with status 200 on OPTIONS requests (not the user defined OPTIONS routes). I will also add environment headers that will be applied to all routes. And I think that checking CORS option should automatically add those 3 headers to the environment headers.
What do you think?

[tmcdos]

In the MockAPIst tool I did it like this:

1. if there is a route defined which matches both the path and the method - then combine the headers defined for the method (each route may use 1 or more HTTP methods) plus the headers defined for the path (a.k.a the route) plus the globally defined headers (the latter automatically include CORS headers if the tick is checked - but may also include other user-defined headers); note that each more specific header overrides its less specific parent
2. if there is a match for the path but not for the method and if the method is OPTIONS and the CORS tick is checked - return the global headers (auto-extended with CORS headers)
3. if there is a match for the path but not for the method and it is not OPTIONS (or it is - but the CORS tick is not checked) - return error 405
4. if there is no match for the path but a valid proxy is specified - then send the request through the proxy
5. else return 404

Looks very similar to your plan.