STCLI-247 overwrite CORS headers in proxy responses

[zburke]

There are two features here:

1. provide new CLI option --proxyUrl to allow use of a hostname other than localhost, allowing the machine hosting the bundle to be accessed remotely (e.g. from a conference room, or by a colleague in another office, etc etc)
2. overwrite CORS headers between the proxy and browser, satisfying the browser that CORS requirements are being met (shhhhh)

Details on Part 2:

Overwrite the following CORS headers between the proxy and browser:

Access-Control-Allow-Origin: http://localhost:${PORT}
Access-Control-Allow-Credentials: true

The ACAO value is commonly set to * for un-credentialed requests (i.e. those without cookies), but as MDN docs for CORS notes:

When responding to a credentialed requests request, the server must specify an origin in the value of the Access-Control-Allow-Origin header, instead of specifying the “*” wildcard. Likewise, the ACAC value is commonly set to "" for uncredentialed requests, but must be set to true to allow cookies to pass through.

These CORS settings appear to have been in place before RTR was introduced, and may still be in place in some backend environments. Overriding these values in the local proxy is a prudent way to allow local development to continue while waiting for the backend settings to catch up.

Refs STCLI-247

[github-actions]

Jest Unit Test Statistics

0 tests  ±0   0 ✔️ ±0   0s ⏱️ ±0s
0 suites ±0   0 💤 ±0 
0 files   ±0   0 ❌ ±0 

Results for commit acbd72e. ± Comparison against base commit 48e31cc.

♻️ This comment has been updated with latest results.

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud