CORS headers are no longer included on results.json responses

[mythmon]

Issue Summary

CORS headers are no longer sent on responses for results.json. This prevents Redash data from being used in some kinds of external dashboards. I'm seeing this in Firefox Nightly on Linux, but I expect it would happen in any browser.

Steps to Reproduce

1. Open https://beta.observablehq.com/@mythmon/normandy-timer-increase-study-enrollment
2. Look in the network console
3. See the following error:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://sql.telemetry.mozilla.org/api/queries/52031/results.json?api_key=hTmoNe785VK4o5uRx86sSvO35xHiYnnfls8MB75l. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

Previously (about 3 weeks ago), the CORS headers were included, allowing external dashboards like this to work.

The query I'm trying to read data from is https://sql.telemetry.mozilla.org/queries/52031.

Technical details:

• Redash Version: https://sql.telemetry.mozilla.org/
• Browser/OS: Firefox Nightly 61, Linux
• How did you install Redash: I did not

[alison985]

Previous work related to this as a reference: getredash#1374

@rafrombrc Currently re:Dash code requires the requesting website to send an "Origin" header. If I modify the request headers using this Firefox Add-On https://addons.mozilla.org/en-US/firefox/addon/modify-header-value/ to send the "Origin" header then I get the "Access-Control-Allow-Origin" response header on my local. Do we want to remove the requirement that the requesting website has to send an "Origin" header?

[robotblake]

So this issue actually appears to be down to the result set being too large, postgres is reporting ~384MB, did something change in the query or the underlying data set?

[mythmon]

It makes sense that the dataset grew over time. I'm a bit surprised by the amount though.

It would be nice if there was a more direct error.

[alison985]

Captured that CORS headers should be captured in 500 errors here: #416