Re-open public APIs for CORS requests

[dafeder]

We were possibly too hasty with #3258 . Let's find a way to open the origin header to * for just the public endpoints.

Acceptance criteria

• On public DKAN GET endpoints that do not require authentication, the JsonResponseTrait we include in DKAN controllers should add a ["Access-Control-Allow-Origin" => "*"] header

[susisiman]

This ticket is more of a best practice approach for out-of-the-box core without an API key. It will be site-specific, since everyone will have different securities or regulations around what they do. This is a low-priority ticket.

[janette]

for reference: on DEV and TEST envs we use development.services.yml

parameters:
  cors.config:
    enabled: true
    # Specify allowed headers, like 'x-allowed-header'.
    allowedHeaders: ['*']
    # Specify allowed request methods, specify ['*'] to allow all possible ones.
    allowedMethods: ['*']
    # Configure requests allowed from specific origins.
    allowedOrigins: ['*']
    # Sets the Access-Control-Expose-Headers header.
    exposedHeaders: false
    # Sets the Access-Control-Max-Age header.
    maxAge: false
    # Sets the Access-Control-Allow-Credentials header.

on PROD we use production.services.yml

parameters:
  cors.config:
    enabled: true
    # Specify allowed headers, like 'x-allowed-header'.
    allowedHeaders: ['x-csrf-token','authorization','content-type','accept','origin','x-requested-with', 'access-control-allow-origin','x-allowed-header','*']
    # Specify allowed request methods, specify ['*'] to allow all possible ones.
    allowedMethods: ['GET','POST']
    # Configure requests allowed from specific origins.
    allowedOrigins: [
      'https://domain1.com',
      'https://domain2.com'
    ]