xblock-external-ui: Add XBlock API call to render XBlock views

Included commits:
* xblock-external-ui: Include CSRF token in the API answer
* xblock-external-ui: Adds support for CORS headers (cross-domain request)
* xblock-external-ui: Include full path when building local_url
* xblock-external-ui: Fix TestHandleXBlockCallback & bok_choy, add tests
* xblock-external-ui: Only return `instance` in `_invoke_xblock_handler()`
* xblock-external-ui: Group resources by hash tag to avoid duplicate loads
* xblock-external-ui: Alternate referer check for CORS requests
* session-cookie-httponly: Allow to disable httponly on session cookies
* remove errant log message
* xblock-no-anonymous: Fail early if the XBlock view is called anonymously

lms/envs/common.py

@@ -134,6 +134,9 @@ FEATURES = {
     # with Shib.  Feature was requested by Stanford's office of general counsel
     'SHIB_DISABLE_TOS': False,
 
+    # Allows to configure the LMS to provide CORS headers to serve requests from other domains
+    'ENABLE_CORS_HEADERS': False,
+
     # Toggles OAuth2 authentication provider
     'ENABLE_OAUTH2_PROVIDER': False,