CORS proxy: Make allowed origins configurable (#43)

## Motivation for the change, related issues

We need to better support self-hosting the Playground web app (as we are
now deploying a private instance), and the current CORS proxy only
supports requests from playground.wordpress.net and localhost.

Let's allow customizing the list of supported origins.

## Implementation details

This PR specifies the current supported origins as the default list and
allows it to be overridden by defining a PHP constant
`PLAYGROUND_CORS_PROXY_SUPPORTED_ORIGINS`.

This PR also stops the web app build and deployment from including its
own CORS proxy. We don't want this in the main, public web app, so let's
just keep the two completely separate.

## Testing Instructions (or ideally a Blueprint)

Test after merge part of a private CORS proxy deployment.

Author: brandonpayton

packages/playground/php-cors-proxy-deployment/__wp__/index.php

@@ -1,7 +1,7 @@
 <?php
 
 if (
-        empty( $_SERVER['PATH_INFO'] ) &&           
+        empty( $_SERVER['PATH_INFO'] ) &&
         !str_starts_with($_SERVER['REQUEST_URI'], '/?')
 ) {                                                 
         // Allow proxied URL to be provided via request URI,

packages/playground/php-cors-proxy/cors-proxy-functions.php

@@ -407,21 +407,21 @@ function should_respond_with_cors_headers($host, $origin) {
         return false;
     }
 
-    $is_request_from_playground_web_app = $origin === 'https://playground.wordpress.net';
-    $not_hosted_with_playground_web_app = $host !== 'playground.wordpress.net';
+    $supported_origins = array(
+        'https://playground.wordpress.net',
+        'http://localhost',
+        'http://127.0.0.1',
+    );
     if (
-        $is_request_from_playground_web_app &&
-        $not_hosted_with_playground_web_app
+        defined('PLAYGROUND_CORS_PROXY_SUPPORTED_ORIGINS') &&
+        is_array(PLAYGROUND_CORS_PROXY_SUPPORTED_ORIGINS)
     ) {
-        return true;
+        $supported_origins = PLAYGROUND_CORS_PROXY_SUPPORTED_ORIGINS;
     }
 
-    $origin_host = parse_url($origin, PHP_URL_HOST);
-    $is_local_origin = in_array(
-        $origin_host,
-        array('localhost', '127.0.0.1'),
+    return in_array(
+        $origin,
+        $supported_origins,
         true
     );
-
-    return $is_local_origin;
 }

packages/playground/website-deployment/apply-update.sh

@@ -102,9 +102,4 @@ curl -sS -X POST -H "Auth: $ATOMIC_SITE_API_KEY" "$SITE_API_BASE/edge-cache/$ATO
         && echo "Edge cache purged" \
         || (>&2 echo "Failed to purge edge cache" && false)
 
-echo Applying latest CORS proxy rate-limiting schema
-# NOTE: This will reset rate-limiting token buckets, but that should be tolerable
-# as long as we're generally discouraging abuse of the proxy.
-cat ~/website-deployment/cors-proxy-rate-limiting-table.sql | mysql --database="$DB_NAME"
-
 echo Done!

packages/playground/website/project.json

@@ -19,8 +19,6 @@
 					"cp -r ./client ./wasm-wordpress-net/",
 					"cp -r ./remote/* ./wasm-wordpress-net/",
 					"cp -r ./website/* ./wasm-wordpress-net/",
-					"cp ../../../packages/playground/php-cors-proxy/cors-proxy.php ./wasm-wordpress-net/",
-					"cp ../../../packages/playground/php-cors-proxy/cors-proxy-functions.php ./wasm-wordpress-net/",
 					"cat ./remote/.htaccess ./website/.htaccess > ./wasm-wordpress-net/.htaccess",
 					"curl https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar > wasm-wordpress-net/wp-cli.phar",
 					"cat wasm-wordpress-net/wp-cli.phar | gzip -c -9 > wasm-wordpress-net/wp-cli.phar.gz"