Add comprehensive CORS support with Cross-Origin-Resource-Policy for all API endpoints

[Copilot]

Problem

The API was not properly handling CORS (Cross-Origin Resource Sharing) requests across all endpoints, preventing web applications from making cross-origin requests. While a global CORS configuration existed in config/initializers/cors.rb, it wasn't being applied correctly to endpoints that use send_data() to return binary content, and the Cross-Origin-Resource-Policy header was missing.

Root Cause

The issue occurred because:

1. The global CORS middleware doesn't properly handle endpoints that use send_data() to return binary content
2. No explicit OPTIONS routes were defined for binary data endpoints to handle preflight requests
3. CORS headers were not being set in controller responses when serving data
4. Missing Cross-Origin-Resource-Policy header prevented proper cross-origin resource access

Solution

This PR adds comprehensive CORS handling for all API endpoints with minimal changes:

Global CORS Support

• Added global CORS handling in ApplicationController via before_action to ensure all endpoints support CORS when an Origin header is present
• Added Cross-Origin-Resource-Policy header set to cross-origin for all responses to allow cross-origin resource access

Endpoint-Specific Changes

• Enhanced data endpoint with explicit CORS headers including Cross-Origin-Resource-Policy: cross-origin
• Added attachment endpoint CORS support with explicit headers and OPTIONS route handling
• Added OPTIONS routes for both data and attachment endpoints to handle preflight requests
• Ensured 404 responses include proper CORS headers for cross-origin error handling

Testing

• Added comprehensive CORS tests covering data endpoint, attachment endpoint, and global CORS functionality
• Tests Cross-Origin-Resource-Policy header presence in all CORS responses
• Tests conditional behavior to ensure CORS headers are only set when needed

Example Usage

After this change, web applications can make cross-origin requests to any API endpoint:

// Data endpoint
fetch('https://api.ethscriptions.com/v2/ethscriptions/1/data', {
  method: 'GET',
  headers: { 'Origin': 'https://myapp.com' }
})

// Any other endpoint (index, show, etc.)
fetch('https://api.ethscriptions.com/v2/ethscriptions', {
  method: 'GET', 
  headers: { 'Origin': 'https://myapp.com' }
})

// Attachment endpoint
fetch('https://api.ethscriptions.com/v2/ethscriptions/1/attachment', {
  method: 'GET',
  headers: { 'Origin': 'https://myapp.com' }
})

Backward Compatibility

These changes are fully backward compatible - existing functionality is preserved while adding comprehensive CORS support for all cross-origin requests.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[tunnckoCore]

@copilot hey Copilot, i think it should also have cross-origin-resource-policy: cross-origin too, it's specifically to handle if fonts (resources) are served through the data endpoint.

[RogerPodacter]

@copilot , do we need cross-origin-resource-policy: cross-origin too? Also just make every API endpoint allow all cross origin

[Copilot]

@copilot , do we need cross-origin-resource-policy: cross-origin too? Also just make every API endpoint allow all cross origin

I've added both the Cross-Origin-Resource-Policy header and global CORS support for all API endpoints.

Changes made in commit 49015c0:

1. Added Cross-Origin-Resource-Policy: cross-origin header to all CORS responses
2. Global CORS support: Added a before_action in ApplicationController to ensure all API endpoints support CORS when an Origin header is present
3. Extended CORS to attachment endpoint: Added explicit CORS handling and OPTIONS route for the attachment endpoint (similar to data endpoint)
4. Updated tests: Added comprehensive tests for the new functionality

Now all API endpoints will automatically include CORS headers when cross-origin requests are made, and the Cross-Origin-Resource-Policy header ensures resources can be accessed cross-origin.