We're providing a small RESTful service. It delivers some json data and is completely protected with basic authentication.
Most of our customers have implemented a small PHP client (or something like this) which fetches data from our servers and provides it to their users.
Now there is one customer who doesn't have an internal backend but is using a plain HTML file with JavaScript instead. The requests are sent directly out of the clients browser to our service.
This of course causes problems in the browser because the request is sent to another url (our server) and the browsers CORS policy is denying the result.
The customer asked us if we could set all the required CORS headers in our service which would solve his problem:
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, DELETE
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Credentials: *
Is there any disadvantage or risk if we provide all these headers by default? Would it be a good idea to always provide the headers to public apis?