Always set CORS headers (#434)

* Not all GRPC sessions advertise CORS in their headers

In practice, this is still setting the headers just as often, as
GRPC sessions that do advertise CORS in the request headers do so
consistently, while those that do not are still limited by CORS by
the browser policy.

* remove two tests that are no longer relevant

Author: aseigo

.tool-versions

@@ -77,8 +77,7 @@ defmodule GRPC.Server.Interceptors.CORS do
 
   @impl true
   def call(req, stream, next, {allow_origin, allow_headers}) do
-    if stream.access_mode != :grpc and
-         Map.get(stream.http_request_headers, "sec-fetch-mode") == "cors" do
+    if stream.access_mode != :grpc do
       headers =
         %{}
         |> add_allowed_origins(req, stream, allow_origin)

lib/grpc/server/interceptors/cors.ex

@@ -271,44 +271,4 @@ defmodule GRPC.Server.Interceptors.CORSTest do
       "Incorrect header when using function"
     )
   end
-
-  test "CORS only on cors sec-fetch-mode" do
-    request = %FakeRequest{}
-
-    stream = %{
-      create_stream()
-      | access_mode: :grpcweb,
-        http_request_headers: Map.put(@default_http_headers, "sec-fetch-mode", "same-origin")
-    }
-
-    {:ok, :ok} =
-      CORSInterceptor.call(
-        request,
-        %{stream | access_mode: :grpcweb},
-        fn _request, _stream -> {:ok, :ok} end,
-        CORSInterceptor.init(allow_origin: "*")
-      )
-
-    refute_received({:setting_headers, _}, "Set CORS header")
-  end
-
-  test "No CORS if missing sec-fetch-mode header" do
-    request = %FakeRequest{}
-
-    stream = %{
-      create_stream()
-      | access_mode: :grpcweb,
-        http_request_headers: Map.delete(@default_http_headers, "sec-fetch-mode")
-    }
-
-    {:ok, :ok} =
-      CORSInterceptor.call(
-        request,
-        %{stream | access_mode: :grpcweb},
-        fn _request, _stream -> {:ok, :ok} end,
-        CORSInterceptor.init(allow_origin: "*")
-      )
-
-    refute_received({:setting_headers, _}, "Set CORS header")
-  end
 end