Configurable API response (CORS) headers

[ryanahamilton]

Employing the newly improved REST API from an independent web application is currently prohibited by browsers due to the lack of CORS (Cross-Origin Resource Sharing) headers in the API response.

This PR adds 3 configuration options to add the following headers:

• Access-Control-Allow-Headers via AIRFLOW__API__ACCESS_CONTROL_ALLOW_HEADERS
• Access-Control-Allow-Methods via AIRFLOW__API__ACCESS_CONTROL_ALLOW_METHODS
• Access-Control-Allow-Origin via AIRFLOW__API__ACCESS_CONTROL_ALLOW_ORIGIN

This only covers a minimum of all potential headers that could be utilized, but the added set_cors_headers_on_response function establishes an obvious place for it to be further extended in the future if needed.

We did look into utilizing Flask-CORS to add this functionality, but ultimately found it to be overkill given we only want to add this to the API endpoint and not the entire Webserver application.

I've added documentation of this feature to Security/API and also cross-linked to that documentation from within the API documentation as well.

[mik-laj]

Should we support https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials?

[github-actions]

The Workflow run is cancelling this PR. Building images for the PR has failed. Follow the the workflow link to check the reason.

[ryanahamilton]

Thanks for the input @mik-laj! Ash helped me work out the handler registration.

re: Access-Control-Allow-Credentials I don't have a strong opinion on this as I haven't yet encountered a use-case that requires it. I'm happy to add it if you think it would be prudent? Otherwise, this will establish an obvious place to do so if the need arises in the future.

[ashb]

Thanks for the input @mik-laj! Ash helped me work out the handler registration.

re: Access-Control-Allow-Credentials I don't have a strong opinion on this as I haven't yet encountered a use-case that requires it. I'm happy to add it if you think it would be prudent? Otherwise, this will establish an obvious place to do so if the need arises in the future.

Probably add it when we/someone have a use case for it then

[ashb]

CI just failed with a backfill job 137-error, unrelated.

[github-actions]

The PR most likely needs to run full matrix of tests because it modifies parts of the core of Airflow. However, committers might decide to merge it quickly and take the risk. If they don't merge it quickly - please rebase it to the latest master at your convenience, or amend the last commit of the PR, and push it with --force-with-lease.