Document the CORS/preflight headers

[turt2live]

Fixes #1006

This PR documents existing behaviour and does not attempt to improve or change the situation.

Reference: https://github.com/matrix-org/synapse/blob/53969e196004659c6a9f138f5d8abd86f4957d74/synapse/http/server.py#L455-L462

[uhoreg]

lgtm other than a couple minor things

[uhoreg]

maybe "... supply Cross-Origin Resource Sharing (CORS) headers on all requests." (add "on all requests" at the end.)

[uhoreg]

s/should/must/ ? (and also on the next line)

[turt2live]

"must" makes sense for the first one. The second one actually seems to have a whole different story to it.

Abbreviated console output:

$ curl -sv -X OPTIONS https://matrix.org/_matrix/client/r0/this/does/not/exist
< HTTP/2 200
< date: Wed, 04 Jul 2018 20:23:25 GMT
< content-type: application/json
< access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept, Authorization
< access-control-allow-origin: *
< access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS

[turt2live]

What do you think about specing it as 200 OK for OPTIONS? (the alternative being leaving it undefined and putting that part through the proposal process, imo)

[uhoreg]

I think that we can leave it undefined for now, and, looking at this again, we might also want to leave the exact headers undefined as well, as some servers may want to be more or less strict about some of them. e.g. some servers may want to set Access-Control-Allow-Methods to only return the methods that actually exist on that route. Maybe just suggest that servers should set Access-Control-Allow-Headers to allow for Origin, X-Requested-With, Content-Type, Accept, Authorization.

[turt2live]

@uhoreg This should be updated now. Please take another look.

[uhoreg]

I'd personally prefer "An example of CORS headers..." rather than "The recommended CORS headers...", but I'm also fine with it just going in like this.