python bridge: drop CORS headers

The correct thing for us to do with CORS is not to participate in it at
all, so stop sending the `Access-Control-Allow-Origin` header.

Modify our existing integration test which checks for the presence and
value of the Access-Control-Allow-Origin header and replace it with a
check that all headers are missing.

src/cockpit/packages.py

@@ -324,7 +324,6 @@ def serve_file(self, path, channel):
             data, (content_type, encoding) = self.files[path]
 
         headers = {
-            "Access-Control-Allow-Origin": channel.origin,
             "Content-Encoding": encoding,
         }
         if content_type is not None and content_type.startswith('text/html'):

test/verify/check-connection

@@ -439,7 +439,21 @@ class TestConnection(testlib.MachineCase):
         headers = m.execute("curl -k --head -b cockpit.jar -s https://127.0.0.1:9090/")
         self.assertIn(
             "default-src 'self' https://127.0.0.1:9090; connect-src 'self' https://127.0.0.1:9090 wss://127.0.0.1:9090", headers)
-        self.assertIn("Access-Control-Allow-Origin: https://127.0.0.1:9090", headers)
+        if self.is_pybridge():
+            # We want to make sure we're *not* sending any CORS headers.
+            CORS_HEADERS = [
+                # https://en.wikipedia.org/wiki/Cross-origin_resource_sharing#Response_headers
+                'Access-Control-Allow-Credentials',
+                'Access-Control-Expose-Headers',
+                'Access-Control-Max-Age',
+                'Access-Control-Allow-Methods',
+                'Access-Control-Allow-Headers',
+            ]
+            for cors_header in CORS_HEADERS:
+                self.assertNotIn(cors_header, headers)
+        else:
+            self.assertIn("Access-Control-Allow-Origin: https://127.0.0.1:9090", headers)
+
         # CORP and Frame-Options are also set for dynamic paths
         self.assertIn("Cross-Origin-Resource-Policy: same-origin", headers)
         self.assertIn("X-Frame-Options: sameorigin", headers)