Default setup should support CORS

Expected Behaviour

On a default setup with the project archetype, the headers (Origin, Access-Control-Request-Method, Access-Control-Request-Headers) necessary for CORS to function should be passed through to render instances

Actual Behaviour

Those headers aren't passed to render instances, preventing CORS from working

Reproduce Scenario (including but not limited to)

Steps to Reproduce

Setup a new project with the archetype. On your publish instance behind the dispatcher, add an osgi config allowing CORS access to, e.g. http://www.otherdomain.com, something like this:

{
  "supportedmethods":[
    "GET",
    "HEAD",
    "POST",
    "OPTIONS"
  ],
  "alloworiginregexp":[
    "http://localhost:.*",
    "http://www.otherdomain.com"
  ],
  "allowedpaths":[
    "/(content|conf)/my-app.*"
  ],
  "supportedheaders":[
    "Origin",
    "Accept",
    "X-Requested-With",
    "Content-Type",
    "Access-Control-Request-Method",
    "Access-Control-Request-Headers",
    "Authorization"
  ]
}

Now make a request with an origin header to simulate CORS, You can do this with curl

curl --verbose -H "Origin: http://www.otherdomain.com" http://www.mydomain.com/content/my-app.html

Notice that the origin header is never passed to the render instance, and that the response is missing the Access-Control-Allow-Origin response header

Platform and Version

Cloud

Notes

I'm happy to submit a PR for this, should just be a matter of adding 3 headers to https://github.com/adobe/aem-project-archetype/blob/develop/src/main/archetype/dispatcher.cloud/src/conf.dispatcher.d/clientheaders/clientheaders.any

"Origin"
"Access-Control-Request-Method"
"Access-Control-Request-Headers"

Although it may be better to add these to default_headers which is an immutable file.

May also want to consider adding the CORS response headers to default.farm in the /cache/headers section so that CORS responses on GET requests can be cached.

adobe / aem-project-archetype