Bug: Using Sourcegraph.com GraphQL API from other websites is broken

Created by: slimsag

Problem: If you try to use https://sourcegraph.com/.api/graphql from another website, it is blocked due to CORS ~~because we're not setting any Content-Security-Policy for responses from that URL, it defaults and is thus blocked:~~

~~Content Security Policy: The page’s settings blocked the loading of a resource at https://sourcegraph.com/.api/graphql?SearchContexts (“default-src”).~~

Are you ready for some history?

Based on my memory, we have always intended for the Sourcegraph.com GraphQL API to be used as broadly and accessibly as possible - including by other websites, by unauthenticated users on https://sourcegraph.com/api/console, via the src CLI, and literally everywhere else.
We explicitly designed the CORS handling of the GraphQL API to only ever allow cookie-based session auth if on the same domain (in so-called "non-simple" CORS requests)
This is closely related to this old issue I have open about removing our redundant CSRF cookies #7658 and if you're wondering "how is that secure?" see my detailed write-up here back in 2018 which is still true today - or this more brief explanation of OWASP: using custom request headers to prevent CSRF.

In short:

~~https://sourcegraph.com/.api/graphql should have a Content-Security-Policy which allows requests from any origin.~~
~~This should be completely safe and secure to enable, and was the original intended behavior - but obviously needs verification.~~