Updated CORS configuration for credentials

We have invested *numerous* man-hours in attempting to provide a
properly-secured CORS implementation. Unfortunately, our efforts
have only resulted in a lot of frustration, failure, and new
knowledge. For now, given the low risk of exposing these files, we
will move forward with the insecure option.

LEARNER-568

playbooks/roles/credentials/templates/edx/app/nginx/sites-available/credentials.j2

@@ -38,39 +38,34 @@ server {
   }
 
   location ~ ^{{ CREDENTIALS_STATIC_URL }}(?P<file>.*) {
-    # Determine if we want to send the CORS headers
-    if ($http_origin ~ '^https?://({{ CREDENTIALS_CORS_ORIGIN_WHITELIST|join('|')|replace('.', '\.') }})/') {
-      set $cors 'true';
-    }
-
-    # All headers need to be set in one block. We cannot, for example, set default headers here and add more
-    # in an if statement. Thus, we have duplicate add_header directives in multiple if blocks.
-    # Adapted from http://stackoverflow.com/questions/27955233/nginx-config-for-cors-add-header-directive-is-not-allowed.
-    if ($request_method = 'OPTIONS') {
-      set $cors "${cors}options";
-    }
+    root {{ CREDENTIALS_STATIC_ROOT }};
+    add_header Cache-Control "max-age=31536000";
 
-    if ($request_method = 'GET') {
-      set $cors "${cors}get";
-    }
+    # NOTE (CCB): We have invested *numerous* man-hours in attempting to provide a properly-secured CORS implementation.
+    # Unfortunately, our efforts have only resulted in a lot of frustration, failure, and new knowledge. For now,
+    # given the low risk of exposing these files, we will move forward with the insecure option.
+    #
+    # References for future explorers:
+    # * https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+    # * https://enable-cors.org/server_nginx.html
+    # * http://stackoverflow.com/questions/27955233/nginx-config-for-cors-add-header-directive-is-not-allowed/41467679
+    #
+    add_header 'Access-Control-Allow-Origin' '*';
+    add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
+    add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
 
-    if ($cors = "trueget") {
-      add_header 'Access-Control-Allow-Origin' "$http_origin";
-      add_header 'Access-Control-Allow-Credentials' 'true';
-    }
+    if ($request_method = 'OPTIONS') {
+      add_header 'Access-Control-Allow-Origin' '*';
+      add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
+      add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
 
-    if ($cors = "trueoptions") {
-      add_header 'Access-Control-Allow-Origin' "$http_origin";
-      add_header 'Access-Control-Allow-Credentials' 'true';
-      add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-      add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
-      add_header 'Content-Length' 0;
+      # Tell client that this pre-flight info is valid for 20 days
+      add_header 'Access-Control-Max-Age' 1728000;
       add_header 'Content-Type' 'text/plain charset=UTF-8';
+      add_header 'Content-Length' 0;
       return 204;
     }
 
-    root {{ CREDENTIALS_STATIC_ROOT }};
-    add_header Cache-Control "max-age=31536000";
     try_files /$file =404;
   }