fix: allow course import from Course Authoring MFE (#1063)

Remove CORS_ALLOW_HEADERS setting from the LMS/Studio config template. This
setting, which holds site-agnostic application logic, is now consistently set
to a reasonable value upstream by LMS and CMS config. Using the upstream values
fixes a bug where course import in Studio using the new Course Authoring MFE
was broken in Tutor deployments because it required additional headers to be
allowed (content-range and content-disposition)

Co-authored-by: Kyle McCormick <[email protected]>

changelog.d/20240508_111720_dave_fix_cors_headers.md

@@ -0,0 +1 @@
+- [Bugfix] Remove CORS_ALLOW_HEADERS setting from the LMS/Studio config template. This setting, which holds site-agnostic application logic, is now consistently set to a reasonable value upstream by LMS and CMS config. Using the upstream values fixes a bug where course import in Studio using the new Course Authoring MFE was broken in Tutor deployments because it required additional headers to be allowed (content-range and content-disposition) (by @ormsbee)

tutor/templates/apps/openedx/settings/partials/common_all.py

@@ -230,7 +230,8 @@
 CORS_ALLOW_CREDENTIALS = True
 CORS_ORIGIN_ALLOW_ALL = False
 CORS_ALLOW_INSECURE = {% if ENABLE_HTTPS %}False{% else %}True{% endif %}
-CORS_ALLOW_HEADERS = corsheaders_default_headers + ('use-jwt-cookie',)
+# Note: CORS_ALLOW_HEADERS is intentionally not defined here, because it should
+# be consistent across deployments, and is therefore set in edx-platform.
 
 # Add your MFE and third-party app domains here
 CORS_ORIGIN_WHITELIST = []