Better documentation for expected CORS server configuration

[hochhaus]

When using shaka with CORS, the expected server configuration is not immediately obvious. Could a suggested configuration be added to the README?

For example:

Access-Control-Allow-Origin: https://example.com   # or * for all sites
Access-Control-Allow-Headers: Range                # is IMS or any other header necessary?
Access-Control-Max-Age: 600                        # cache preflight requests for 10 mins
Access-Control-Allow-Credentials: true             # iff using credentials

I'm not confident of the best configuration or I would send a pull request.

[TheModMaker]

I am hesitant to add this to the documentation since this is a common server-side configuration. CORS requirements are imposed by the browser, not by Shaka, so most servers will have to deal with this whether they use Shaka or not. Also, different server software will require different configurations to allow CORS.

There is already an entry in the FAQ when dealing with HTTP_ERROR. We may also want to mention CORS setup in the tutorials. But since this doesn't apply to Shaka specifically, it doesn't belong in the README.

[hochhaus]

Thanks @TheModMaker. I appreciate the point. That said, at least the Access-Control-Allow-Headers: Range does depend specifically on the headers sent by shaka. I'm fine with leaving out the documentation for the other headers (as you say, they are not dependent on shaka). However, without diving into the shaka source, how can one be sure of which non-simple headers shaka adds to the requests?

To me, anything that requires reading the source for correct server configuration should be documented. What do you think?

[TheModMaker]

I'll be sure to mention the Range header in the FAQ and in a new section in the tutorials.

[joeyparrish]

The new docs have been cherry-picked to v2.2.x and will be released in v2.2.2.