Configure CORS for non repository routes

[AbdulrhmnGhanem]

The options here for configuring CORS doesn't support the Access-Control-Allow-Origin option.
With this configuration in the app.ini file:

[cors]
ENABLED=true
SCHEME=http
ALLOW_DOMAIN=kitspace.test,staging.kitspace.org,kitspace.org
ALLOW_SUBDOMAIN=true
METHODS=POST
MAX_AGE=10m
ALLOW_CREDENTIALS=true

The headers of the response are:

Access-Control-Allow-Headers
Access-Control-Allow-Methods: POST
Access-Control-Max-Age: 600
Connection: keep-alive
Content-Length: 70
Content-Type: application/json; charset=utf-8
Date: Sat, 29 Aug 2020 15:36:17 GMT
Server: nginx/1.17.6
X-Csrf-Token: 4CSnVuWtSzUdNcnrHZATVY8142c6MTU5ODY0MTQ4Njc5MTMxNzMzMw
X-Frame-Options: SAMEORIGIN

And the request from the browser results in the same CORS error.
There's an ACCESS_CONTROL_ALLOW_ORIGIN option under the [repository] configuration but no other occurrences in the whole Gitea codebase.

[AbdulrhmnGhanem]

To make things more complicated it has nothing to do with Gitea itself; it's a limitation of the library used by Gitea to handle requests(maybe a design decision).

Some relevant disscusion.

[kasbah]

I don't have time to look closer at this right now, but it makes me think that in that case we will have to proxy these endpoints to the main domain via Nginx or modify the header of the requests in Nginx.

[kasbah]

It seems another option is to fork to cors module and make it do what we want.

[AbdulrhmnGhanem]

It seems another option is to fork to cors module and make it do what we want.

Or we can drop Gitea altogether 🤣 🤣 🤣

Anyways look at the new PR, especially the latest commits.

[kasbah]

What's the status of this?

[AbdulrhmnGhanem]

Fixed it by configuring Nginx #7 (comment)