DEV: Simplify CORS logic for public asset routes (#33106)

Previously we would check the request for a matching CDN hostname before
applying the `Access-Control-Allow-Origin` header. That logic requires
the CDN to include its public-facing hostname in the `Host` header,
which is not always the case.

Since we are only running this `apply_cdn_headers` before_action on
publicly-accessible asset routes, we can simplify things so that the
`Access-Control-Allow-Origin: *` header is always included. That will
make CDN config requirements much more relaxed.

At the moment, this is primarily relevant to the HighlightJsController
routes, which are loaded using native JS `type=module`. But in the near
future, we plan to expand our use of `type=module` to more critical JS
assets like translations and themes.

Also drops the `Access-Control-Allow-Methods` header from these
responses. That isn't needed for `GET` and `HEAD` requests.

app/controllers/application_controller.rb

@@ -693,9 +693,7 @@ class ApplicationController < ActionController::Base
   end
 
   def apply_cdn_headers
-    if Discourse.is_cdn_request?(request.env, request.method)
-      Discourse.apply_cdn_headers(response.headers)
-    end
+    Discourse.apply_cdn_headers(response.headers)
   end
 
   def self.requires_login(arg = {})

lib/discourse.rb

@@ -8,7 +8,6 @@ require "git_utils"
 
 module Discourse
   DB_POST_MIGRATE_PATH = "db/post_migrate"
-  REQUESTED_HOSTNAME = "REQUESTED_HOSTNAME"
   MAX_METADATA_FILE_SIZE = 64.kilobytes
 
   class Utils
@@ -1198,22 +1197,8 @@ module Discourse
     ENV["RAILS_ENV"] == "test" && ENV["TEST_ENV_NUMBER"]
   end
 
-  CDN_REQUEST_METHODS = %w[GET HEAD OPTIONS]
-
-  def self.is_cdn_request?(env, request_method)
-    return if CDN_REQUEST_METHODS.exclude?(request_method)
-
-    cdn_hostnames = GlobalSetting.cdn_hostnames
-    return if cdn_hostnames.blank?
-
-    requested_hostname = env[REQUESTED_HOSTNAME] || env[Rack::HTTP_HOST]
-    cdn_hostnames.include?(requested_hostname)
-  end
-
   def self.apply_cdn_headers(headers)
     headers["Access-Control-Allow-Origin"] = "*"
-    headers["Access-Control-Allow-Methods"] = CDN_REQUEST_METHODS.join(", ")
-    headers
   end
 
   def self.allow_dev_populate?

lib/middleware/enforce_hostname.rb

@@ -17,7 +17,6 @@ module Middleware
       allowed_hostnames = RailsMultisite::ConnectionManagement.current_db_hostnames
       requested_hostname = env[Rack::HTTP_HOST]
 
-      env[Discourse::REQUESTED_HOSTNAME] = requested_hostname
       env[Rack::HTTP_HOST] = allowed_hostnames.find { |h| h == requested_hostname } ||
         Discourse.current_hostname_with_port
 

spec/requests/highlightjs_controller_spec.rb

@@ -5,7 +5,7 @@ RSpec.describe HighlightJsController do
     get HighlightJs.path
     expect(response.status).to eq(200)
     expect(response.body).to include("export default function")
-    expect(response.headers["Access-Control-Allow-Origin"]).to eq(nil)
+    expect(response.headers["Access-Control-Allow-Origin"]).to eq("*")
   end
 
   it "works via a CDN" do