Revert Graphql CORS from 2.4.1

[Silarn]

Reverting Graphql CORS from 2.4.1 as it poses a security concern

I think the Admin Panel control is a business consideration, you guys like behavior, that's fine.
But my other comment on implementation is that the current implementation is wrong. (edited)

This implementation has some bugs:
We also check whether or not the domain is allowed, otherwise you'll have headers attached when you shouldn't./
Additionally some headers should be only be on OPTIONS some on the subsequent GraphQL request

These bugs can lead to security concerns so it's best to just revert and fix them in 2.4.2

#28561
#26425

[misha-kotov]

Thanks for your feedback. I've added CORS headers support as an improvement item for our APIs (MAGETWO-64314)

In the meantime, I understand that headers are extensible. Pasting the following from elsewhere, but to be honest I'm not entirely sure if it'll help in this case or not:

app/code/Magento/Store/etc/di.xml:337
\Magento\Framework\App\Response\HeaderManager
Magento\Framework\App\Response\HeaderProvider\XssProtection

The idea is you inject a new "header provider" into the $headerProviderList parameter of Magento\Framework\App\Response\HeaderManager, and this header provider implements the interface \Magento\Framework\App\Response\HeaderProvider\HeaderProviderInterface, so it supplies the name and value of header and whether or not to add it.

[Silarn]

Thanks for the tip. I've created a workaround in the Apache configuration for now, but this might be a better solution.

[piotrekkaminski]

Thank you for your submission.

We recently made some changes to the way we process GitHub submissions to more quickly identify and respond to core code issues.

Feature Requests and Improvements should now be submitted to the new Magento 2 Feature Requests and Improvements forum (see details here).

We are closing this GitHub ticket and have moved your request to the new forum.