Enable permissive CORS on static file serving

[marius851000]

I had this issue while experimenting with CI for MR preview of static site with Hydra. The same issue also impact the Nix and Hydra manual, where font icons are not displayed (at least with recent Firefox and Chromium).

(https://hydra.nixos.org/build/263397466/download/1/manual/)

I’m not really sure why CORS is needed for some request and not other ones. I suspect this is due to the Content-Security-Policy=sandbox header, as the same program I have work well on another deployment that don’t send that header.

This should stay secure, as only static files are served, but will allow other sites to embed built content served by Hydra.

PS: MDN confirm that this won’t send Cookies or other Authentification information (in https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials): "Credentials are cookies, TLS client certificates, or authentication headers containing a username and password. By default, these credentials are not sent in cross-origin requests, and doing so can make a site vulnerable to CSRF attacks."