feat: common CORS settings for LMS and CMS

The ENABLE_CORS_HEADERS feature flag is already true for the LMS.
Instead of duplicating it for Studio via yaml settings, make this a
common Django setting to both LMS and CMS and all their environments.

CHANGELOG.md

@@ -18,6 +18,8 @@ Every user-facing change should have an entry in this changelog. Please respect
 
 ## Unreleased
 
+- [Improvement] Enable CORS by default for both LMS and CMS by moving those settings to the `common_all` partial. (by @arbrandes)
+
 ## v14.2.0 (2022-11-21)
 
 - [Improvement] Auto-complete implicit `local/dev --mount /path/to/...` options. (by @regisb)

tutor/templates/apps/openedx/config/lms.env.yml

@@ -9,7 +9,6 @@ FEATURES:
   {{ patch("lms-env-features")|indent(2) }}
   CERTIFICATES_HTML_VIEW: true
   PREVIEW_LMS_BASE: "{{ PREVIEW_LMS_HOST }}"
-  ENABLE_CORS_HEADERS: true
   ENABLE_COURSE_DISCOVERY: true
   ENABLE_COURSEWARE_SEARCH: true
   ENABLE_CSMH_EXTENDED: false

tutor/templates/apps/openedx/settings/partials/common_all.py

@@ -65,9 +65,6 @@ DATABASE_ROUTERS.remove(
 # Set uploaded media file path
 MEDIA_ROOT = "/openedx/media/"
 
-# Add your MFE and third-party app domains here
-CORS_ORIGIN_WHITELIST = []
-
 # Video settings
 VIDEO_IMAGE_SETTINGS["STORAGE_KWARGS"]["location"] = MEDIA_ROOT
 VIDEO_TRANSCRIPTS_SETTINGS["STORAGE_KWARGS"]["location"] = MEDIA_ROOT
@@ -160,6 +157,16 @@ JWT_AUTH["JWT_ISSUERS"] = [
 # Enable/Disable some features globally
 FEATURES["ENABLE_DISCUSSION_SERVICE"] = False
 FEATURES["PREVENT_CONCURRENT_LOGINS"] = False
+FEATURES["ENABLE_CORS_HEADERS"] = True
+
+# CORS
+CORS_ALLOW_CREDENTIALS = True
+CORS_ORIGIN_ALLOW_ALL = False
+CORS_ALLOW_INSECURE = {% if ENABLE_HTTPS %}False{% else %}True{% endif %}
+CORS_ALLOW_HEADERS = corsheaders_default_headers + ('use-jwt-cookie',)
+
+# Add your MFE and third-party app domains here
+CORS_ORIGIN_WHITELIST = []
 
 # Disable codejail support
 # explicitely configuring python is necessary to prevent unsafe calls