CORS: Add OCS-APIRequest header to allowed headers in OCSController

[everlanes]

How to use GitHub

• Please use the 👍 reaction to show that you are interested into the same feature.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

Is your feature request related to a problem? Please describe.
I tried to call the OCS api from an external website with a XMLHttpRequest request.

Chrome prevents this with the following error:
Access to XMLHttpRequest at '.../ocs/v2.php/apps/forms/api/v1.1/submission/insert' from origin 'http://127.0.0.1:8000' has been blocked by CORS policy: Request header field ocs-apirequest is not allowed by Access-Control-Allow-Headers in preflight response.

Describe the solution you'd like
I would suggest, to add this header permanently to the list of allowed headers in the OCSController constructor, making it easier to use the OCS api in 3rd party websites apps.

public function __construct($appName,
	IRequest $request,
	$corsMethods = 'PUT, POST, GET, DELETE, PATCH',
	$corsAllowedHeaders = 'Authorization, Content-Type, Accept, OCS-APIRequest',
	$corsMaxAge = 1728000) {

Describe alternatives you've considered
I can prevent the error and satisfy Chrome preflight check, by modifying the forms app ApiController. Adding ocs-apirequest to the list of allowed headers in the constructor call of the OCSController solves the problem.

So I am quite sure, this solution is working.

But, as I understand, the OCS API always requires the OCS-APIRequest header. That is why I would prefer to add this header to the OCSController generally.

[jotoeri]

#31807