Add CORS header when none exist from PASTA

[servilla]

Users of Javascript who make requests against the PASTA API require, at a minimum, an Access-Control-Allow-Origin header that allows the requesting site domain. If the request is complex (i.e., PUT, DELETE, or POST with non-standard payloads), a CORS preflight approval is enforced by the browser. This type of request requires additional headers before the browser will allow the request to proceed. In the case of thumbnail management, both the create and delete thumbnail Javascript requests result in a CORS preflight flow, which returns the appropriate set of CORS headers directly from PASTA in the response headers. If these do not exist in the response header, the Gatekeeper should add the simple CORS header: Access-Control-Allow-Origin = *.

Note 1: With this enhancement, the NGINX instance on the Gatekeeper should NOT add the Access-Control-Allow-Origin header if the Gatekeeper is already providing the appropriate CORS header(s) in all responses. On pasta-s.lternet.edu, both NGINX and the Gatekeeper were adding CORS headers to the response, resulting in an browser error because there were two values in the Access-Control-Allow-Origin header (e.g., Access-Control-Allow-Origin = *,*) during the preflight flow of thumbnail management.

Note 2: A future implementation of this enhancement may limit the CORS header to only approved sites.