Allow CORS for all origins on *Public* projects

Description

Public projects are just that - public. I think that cross-origin resource sharing (CORS) should be allowed for public projects. Recently the security issue #22450 (closed) was fixed by commit 0ee03af8. Overall, this is a good thing because it's defaulting to a more secure environment.

However, if I host some javascript or JSON in a public project on gitlab.com or my self-hosted gitlab instance, I cannot access that data via AJAX. The work around is to manually download the file and then call it from the local file path. This won't work for my usage case, because I always need to point to master.

Proposal

Open up the CORS policy for public projects (only) to allow all origins to access content.

Additional Details and Background

I have a public project that has some javascript utilities and JSON configuration data in it. I need to access that JSON data with various programs - Python, C#, JMP, Mathematica, etc. - and can do so easily by sending a GET request to the http://gitlab.local/namespace/project/raw/master/data.json url:

>>> import requests
>>> r = requests.get('http://gitlab.local/namespace/project/raw/master/data.json')
>>> r.status_code
200
>>> j = r.json()
>>> j['key']
{'data1': value1, 'data2': value2}

However, I also need to be able to access this data via some of our internal web sites. The standard procedure for "downloading" that data for a web page is Javascript + AJAX (or jQuery.getJSON):

var data_url = 'http://gitlab.local/namespace/project/raw/master/data.json';
var json = $.getJSON(data_url);

In this case, it's considered a cross-origin request and is denied by the CORS policy and I get

XMLHttpRequest cannot load http://gitlab.local/namespace/project/raw/master/data.json. No 'Access-Control-Allow-Origin' header
is present on the requested resource. Origin 'null' is therefore not allowed access.

... Or at least, I think that's what's happening. I am not that strong with web dev yet.

---

~"feature proposal"