Go: proxy.golang.org: Enable CORS?

cc @katiehockman @FiloSottile

Since everything on proxy/sum/index.golang.org is a simple GET request that could be performed by an iframe just as easily, this seems safe in my limited understanding. Still, it's work, so it'd be nice to have some example use cases to justify it.

Since nothing is authenticated (neither by cookie nor by session nor by IP), this should be safe. If we wanted to add authenticated endpoints later we could check the Origin header or carve those out.

(The difference from an iframe load—or an image load or a form submission—is that with CORS the third party origin gets the content of the responses.)

Deferring on whether this is worth doing.

@FiloSottile thanks 👍

A good use case would be for people building web UIs that interact with the Module Index to let users search and navigate through modules.

Although the practically of Go WASM is not fully there yet, another use case, is that with Go WASM, you can theoretically compile and run Go code on the browser so pulling zips from proxy.golang.org would be helpful. A user can also potentially publish their module as a "plugin" and have the browser pull it asynchronously so that their website can have chunking/eager-loading.

Thanks for giving some additional justification.
This should be a pretty straightforward change for us, so we'll go ahead and enable this.

CORS has been enabled for proxy.golang.org, index.golang.org, and sum.golang.org