consider setting cors.allow_any_origin = true when run in --dev mode

[EverlastingBugstopper]

when running the router in --dev mode, whether through rover dev or otherwise, i may like to point a local front end application at the local router endpoint. unfortunately, this is not possible with the default --dev configuration - requests can only be made from embedded sandbox.

since we recommend folks not to run --dev in production environments, i think it should be OK to set cors.allow_any_origin = true when running in --dev mode to enable these development workflows.

[abernix]

This is continuously a challenging issue. The challenge with using * for origin is that it is fundamentally incompatible with the access-control-allow-credentials flag which I believe becomes necessary the second you use an authorization header.

And still, even just allowing * puts your Router (which is a proxy to the internet and production environments in some cases!) in the position of being subject to malicious plugins/tools running on the local computer that might be probing for insecure localhost or specifically engineered to exploit a known endpoint/configuration.

Ultimately, users need to understand that the CORS domain needs to be set. However, we think we can help them:

Proposal:

When running in --dev mode, if the Router — after evaluating the origin: header sent by the browser is choosing to deny a particular request, it can log a helpful message to the console instructing how to make the change.

---

I know this isn't compatible with Rover's starting of the Router at this second (since Rover doesn't allow configuration), but this will at least make --dev a bit easier.

Thoughts?

[EverlastingBugstopper]

closing this in favor of apollographql/rover#1373