CORS support

[czcollier]

Applications built with Mesop should be embeddable into pages on external sites. AI (especially chat) UIs are prime candidates for embedding into host websites.

To enable this, CORS support will need to be added.

CORS can be added to Mesop relatively simply by copying the pattern used for Iframe Security. Iframe Security (SecurityPolicy) and CORS have similar use cases and implementations. Both of these mechanisms are implemented using HTTP response headers, and configuration via @me.page parameters make sense as a configuration mechanism.

I have a preliminary PR here: #1109

[wwwillchen]

If you want to embed a Mesop app on another website, you shouldn't need to modify CORS. As you've linked to, the iframe security allows other sites to embed the Mesop app.

Are you embedding a Mesop app in another way besides iframes?

[czcollier]

Hi, thanks for reviewing. Yes, we are embedding via Javascript (XmlHttpRequest, AJAX). This is another common way of embedding into websites. For example, Vertex AI Agent Builder has options for Iframe or "widget" embedding. See the attached screenshot showing the agent builder UI. We would be implementing functionality similar to this, where our app could be embedded via JS.

[wwwillchen]

I see - thanks for sharing. In your PR #1109 can you add a minimal example of how a web page would embed a Mesop app? This would also be helpful for adding an e2e test to make sure this functionality is working as expected.

[czcollier]

Yes, will do!