CORS requirements can be misread #192
Description
This is a follow up to a conversation in an issue logged with the NMOS API Testing Tool (AMWA-TV/nmos-testing#722).
Currently the Server Side Implementation Notes state that "all NMOS APIs MUST implement valid CORS HTTP headers in responses to all requests". As currently worded this can be interpereted to mean that all APIs must always send CORS headers, regardless of whether or not the client is making a cross origin request that requires CORS headers.
However the Fetch specification, which specifies CORS, only requires servers to send CORS headers if the client is making a cross origin request and participating in the CORS protocol. This is indicated by the client sending an Origin header, or in the case of a preflight request an Access-Control-Request-Method header.
I expect the intention here was not for NMOS API servers to respond with CORS headers at all times, but rather for servers to respond with the appropriate CORS headers to allow a cross origin request when the client makes a CORS request as per the Fetch specification. As such the NMOS specifications should be reworded to clarify this.
The issue with the current wording is some NMOS client implementations expect server to always send CORS headers. However some servers and development frameworks (e.g. ASP.NET) by default only send CORS headers when they receive an appropriate header (e.g. Origin) in the request from the client, which is valid behaviour per the Fetch specification.