[Feature] Include CORS policy for remote API to allow cross-site request

[MartinRied]

Hi,

I'm using Kenku to provide music to for my (Foundry) VTT-based game in Discord.

Preferrably I'd like to control the music & sounds from within the VTT, which is in theory possible using JavaScript-based Macros that make calls to the Kenku API.

However since fastify does not sent any CORS headers, most if not all current browsers will not allow requests from the domain where my VTT is hosted to localhost where Kenku is running.

I was able to add the required headers by forking the project, but I would prefer it if this possibility could be incorporated into the mainline branch.

From a security point of view, the approach I've taken in my fork (allowing CORS requests from all domains) is quite "quick and dirty". For integrating this into the upstream it should at least be optional (that is, CORS requests have to be enabled explicitly in the API settings) or, even better, have a configurable domain name in the API settings for which CORS requests are allowed.

I would gladly implement the required configuration, but the policy states no feature PRs are accepted so I did not (yet ) see much sense in that.