No CORS headers on OPTIONS /oauth/token

Summary

/oauth/token endpoint doesn't respond with CORS headers on a preflight OPTIONS request.

Steps to reproduce

Do a OPTIONS request with an origin != gitlab.com to https://gitlab.com/oauth/token by a OAuth2 application running in an environment with CORS support, a browser for example. The request is rejected by the browser with CORS violation: Access to fetch at 'https://gitlab.com/oauth/token' from origin 'https://blabla.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Example Project

What is the current bug behaviour?

• No support for OPTIONS requests for CORS preflight requests.

What is the expected correct behaviour?

• Support OPTIONS requests for CORS preflight.

Relevant logs and/or screenshots

OPTIONS request from browser

Relevant issues:

• #300077 (comment 975863972)
• https://github.com/swagger-api/swagger-ui/issues/6081

Output of checks

This bug happens on GitLab.com

Possible fixes