Add default API CORS HTTP Headers (#6659)

* Add default API CORS HTTP Headers
To allow interacting with our APIs from a JavaScript application.
So far limited to the APIs: Greader, User queries
Fix https://github.com/FreshRSS/FreshRSS/discussions/6654#discussioncomment-10131144

* Early abort for OPTIONS requests

* Move a bit OPTIONS test

* No content!

* More cleaning

p/api/greader.php

@@ -112,6 +112,12 @@ function debugInfo(): string {
 
 final class GReaderAPI {
 
+	/** @return never */
+	private static function noContent() {
+		header('HTTP/1.1 204 No Content');
+		exit();
+	}
+
 	/** @return never */
 	private static function badRequest() {
 		Minz_Log::warning(__METHOD__, API_LOG);
@@ -987,6 +993,14 @@ final class GReaderAPI {
 	public static function parse() {
 		global $ORIGINAL_INPUT;
 
+		header('Access-Control-Allow-Headers: Authorization');
+		header('Access-Control-Allow-Methods: GET, POST');
+		header('Access-Control-Allow-Origin: *');
+		header('Access-Control-Max-Age: 600');
+		if (($_SERVER['REQUEST_METHOD'] ?? '') === 'OPTIONS') {
+			self::noContent();
+		}
+
 		$pathInfo = '';
 		if (empty($_SERVER['PATH_INFO'])) {
 			if (!empty($_SERVER['ORIG_PATH_INFO'])) {

p/api/query.php

@@ -159,6 +159,15 @@ if ($query->getName() != '') {
 }
 FreshRSS_Context::systemConf()->allow_anonymous = true;
 
+header('Access-Control-Allow-Methods: GET');
+header('Access-Control-Allow-Origin: *');
+header('Access-Control-Max-Age: 600');
+header('Cache-Control: public, max-age=60');
+if (($_SERVER['REQUEST_METHOD'] ?? '') === 'OPTIONS') {
+	header('HTTP/1.1 204 No Content');
+	exit();
+}
+
 if (in_array($format, ['rss', 'atom'], true)) {
 	header('Content-Type: application/rss+xml; charset=utf-8');
 	$view->_layout(null);