Fix CORS security vulnerability

[imatiach-msft]

Description

• Restrict CORS origins in PublicVMEnvironment to specific service origin
• Restrict CORS origins in LocalIPythonEnvironment to localhost origins
• Add allow_all_origins parameter as escape hatch for users who need wildcard CORS and understand the security implications

This fixes CWE-942 (Wildcard CORS) by defaulting to restrictive CORS policy while preserving backward compatibility via opt-in parameter.

Checklist

• I have added screenshots above for all UI changes.
• I have added e2e tests for all UI changes.
• Documentation was updated if it was needed.

[Copilot]

Pull request overview

This PR aims to remediate a wildcard CORS vulnerability (CWE-942) by defaulting PublicVMEnvironment and LocalIPythonEnvironment to restrictive CORS allowlists, with an allow_all_origins escape hatch on FlaskHelper.

Changes:

• Add allow_all_origins parameter to FlaskHelper to optionally preserve wildcard CORS.
• Restrict CORS in PublicVMEnvironment to a computed origin based on service.ip/service.port unless overridden.
• Restrict CORS in LocalIPythonEnvironment to localhost/127.0.0.1 origins based on service.port unless overridden.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

File	Description
rai_core_flask/rai_core_flask/flask_helper.py	Introduces the allow_all_origins flag on the core Flask helper service object.
rai_core_flask/rai_core_flask/environments/public_vm_environment.py	Applies the new flag and adds a restrictive CORS policy by default for public VM detection.
rai_core_flask/rai_core_flask/environments/local_ipython_environment.py	Applies the new flag and adds a restrictive CORS policy by default for local IPython detection.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.