Embedding SDK - add CORS header for API endpoints (#40394)

* Add CORS solution for SDK

* Review fixes

* Linter fixes

src/metabase/server/middleware/security.clj

@@ -126,6 +126,12 @@
           "Content-Security-Policy"
           #(format "%s frame-ancestors %s;" % (if allow-iframes? "*" (or (embedding-app-origin) "'none'")))))
 
+(defn- access-control-headers
+  []
+  {"Access-Control-Allow-Origin"    (embedding-app-origin)
+   "Access-Control-Allow-Headers"   "*"
+   "Access-Control-Expose-Headers"  "X-Metabase-Anti-CSRF-Token"})
+
 (defn- first-embedding-app-origin
   "Return only the first embedding app origin."
   []
@@ -143,6 +149,7 @@
      (cache-prevention-headers))
    strict-transport-security-header
    (content-security-policy-header-with-frame-ancestors allow-iframes? nonce)
+   (when (embedding-app-origin) (access-control-headers))
    (when-not allow-iframes?
      ;; Tell browsers not to render our site as an iframe (prevent clickjacking)
      {"X-Frame-Options"                 (if (embedding-app-origin)

src/metabase/server/routes.clj

@@ -2,7 +2,7 @@
   "Main Compojure routes tables. See https://github.com/weavejester/compojure/wiki/Routes-In-Detail for details about
    how these work. `/api/` routes are in `metabase.api.routes`."
   (:require
-   [compojure.core :refer [context defroutes GET]]
+   [compojure.core :refer [context defroutes GET OPTIONS]]
    [compojure.route :as route]
    [metabase.api.dataset :as api.dataset]
    [metabase.api.routes :as api]
@@ -60,6 +60,9 @@
                 (log/warn e (trs "Error in api/health database check"))
                 {:status 503 :body {:status "Error getting app-db connection"}}))
          {:status 503, :body {:status "initializing", :progress (init-status/progress)}}))
+
+  (OPTIONS "/api/*" [] {:status 200 :body ""})
+
   ;; ^/api/ -> All other API routes
   (context "/api" [] (fn [& args]
                        ;; Redirect naughty users who try to visit a page other than setup if setup is not yet complete