[13.x] Add per-route CORS configuration support

[WendellAdriel]

Overview

This PR adds route-specific CORS handling while moving that behavior into dedicated route middleware, so per-route policies can use the already-resolved route instead of matching requests twice.

Approach

• Keep the existing global CORS configuration as the fallback for configured paths.
• Apply route-specific CORS through middleware in the web and api groups so route metadata and controller attributes are resolved from the active route.
• Carry the intended route information through preflight handling so OPTIONS requests use the same route-specific policy as the underlying endpoint.

Examples

Route-level configuration:

use Illuminate\Support\Facades\Route;

Route::get('/profile', fn () => ['name' => 'Taylor'])
    ->cors([
        'origins' => ['https://app.example.com'],
        'methods' => ['GET'],
        'headers' => ['Content-Type', 'X-Requested-With'],
    ]);

Class-level attribute:

use Illuminate\Routing\Attributes\Cors;

#[Cors(origins: ['https://admin.example.com'], methods: ['GET', 'POST'])]
class AdminProfileController
{
    public function __invoke()
    {
        return ['name' => 'Taylor'];
    }
}

Class method-level attribute:

use Illuminate\Routing\Attributes\Cors;

class ReportController
{
    #[Cors(origins: ['https://reports.example.com'], methods: ['GET'])]
    public function show()
    {
        return ['status' => 'ok'];
    }
}

[taylorotwell]

Hmm, one change I might make to this is to potentially make a new middleware in the web and api groups that is specifically for route CORS. That way you don't have to do the route matching twice and the route will already be available on $request->route().

[WendellAdriel]

Just pushed some changes with a different approach @taylorotwell
Check if that's ok or if you want me to work in a diff one, thanks for the review! 💪

[martinbean]

I like the idea of this, but in my experience CORS has always been far more complicated than, “allow requests for this one hostname only”. This approach even falls down when you have multiple environments for a single application with their own unique hostnames, so hard-coded hostname (or array of hostnames) in an attribute is not going to cut it.