Update the use of CORS_ORIGIN_ALLOW_ALL

[ctgraham]

The use of CORS_ORIGIN_ALLOW_ALL is superseded and is not recommended:

argo/argo/settings.py

Lines 154 to 155 in 05a65fc

	# CORS settings
	CORS_ORIGIN_ALLOW_ALL = True

https://pypi.org/project/django-cors-headers/#cors-allow-all-origins-bool

Better would be to use the strategy from the request broker to name allowed origins:
https://github.com/RockefellerArchiveCenter/request_broker/blob/9fc371944a231181f98fec90d29f9e7521e9cd9b/request_broker/settings.py#L136-L137

[helrond]

Setting this boolean to True was a conscious choice we made to support the broadest use of our collections API as possible. I'm curious what downsides you see to this approach.

[ctgraham]

Ah, I see where you are coming from there.

I will confess that this was 90% me troubleshooting a CORS failure for argo, finding this setting hardcoded and reading the python docs on not using is as-such.

Reflecting on it, I do think it would be appropriate to allow cross origin requests from anywhere, so long as they were application/json requests. Currently argo is responding even to text/html requests with the header "Access-Control-Allow-Origin: *", which I think is outside of your proposed use-case.