Open
Description
Context / Motivation
Delivery-Service and Delivery-Dashboard are typically deployed in such a way that they are served from different (sub-)domains. Because this makes requests from Delivery-Dashboard cross-domain-requests, Delivery-Service needs to set "CORS-Headers". Currently, it sets those for any domain (*), which is not a recommended practise.
Implementation Proposal
Make domain(s) for which Delivery-Service set CORS-Headers configurable. Configure OCM-Gear-Installer such that it will by default restrict CORS-Domains to the one from which Delivery-Dashboard will be served. It should remain possible for users to overwrite this default.