Add CORS recommendation

CHANGELOG.md

@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 - Catalog and Collection definitions now have required field "type"
+- Added recommendation to enable CORS for public APIs
 
 ### Changed
 - Passing the `ids` parameter to an item search does not deactivate other query parameters [#125](https://github.com/radiantearth/stac-api-spec/pull/125)

README.md

@@ -81,6 +81,9 @@ Sub-modules aren't checked out by default, so to get the directory populated
 either use `git submodule update --init --recursive` if you've already cloned it,
 or clone from the start with `git clone --recursive [email protected]:radiantearth/stac-api-spec.git`. 
 
+**Implementation Recommendations:** Recommendations for implementing a STAC API may be found [here](implementation.md). 
+These are mostly concerns that apply to an entire API implementation and are not part of the specification itself.
+
 ## Contributing
 
 Anyone building software that catalogs imagery or other geospatial assets is welcome to collaborate.

implementation.md

@@ -0,0 +1,22 @@
+# Implementation Recommendations
+
+This document describes implementation recommendations for a STAC API.
+
+## CORS
+
+It is recommended that public APIs advertise a permissive CORS configuration so UIs running on a different domain
+may more easily access them.
+
+APIs should acknowledge pre-flight request headers. In general, these header values should be set on responses:
+
+```
+access-control-allow-origin: *
+access-control-allow-methods: OPTIONS, POST, GET
+access-control-allow-headers: Content-Type
+access-control-allow-credentials: false
+```
+
+It is relatively safe to use these headers for all endpoints. However, one may want to restrict the methods to only those that apply to each endpoint. For example, the `/collection/{collectionId}/items` endpoint should only allow OPTIONS and GET, since POST is only used by the Transactions Extension, which presumably would require authentication as it is mutating data. 
+
+Implementations that support the Transactions Extension or require credentials for some operations will need to 
+implement different behavior, for example, allowing credentials when requests are coming from a trusted domain or also allowing DELETE, PUT, or PATCH methods.

overview.md

@@ -6,7 +6,7 @@ a subset of the entire catalog, such as for a certain date range, in a particula
 they care about. STAC API extensions specifies those query parameters, and compliant servers return collections of STAC Items that
 match the user's preferences. A lot of additional functionality can added through the [OGC API](https://ogcapi.ogc.org/) family of
 standards, particularly [OGC API - Features](http://docs.opengeospatial.org/is/17-069r3/17-069r3.html) (OAFeat, for our
-shorthand). 
+shorthand).  Notes on implementation recommendations may be found [here](implementation.md).
 
 ## STAC API Description