docs: move CORS documentation under dashboard section

code-asher · code-asher · commit a7ef1c3f0031 · 2023-06-09T12:53:22.000-08:00
None of this applies to ports forwarded in other ways.
diff --git a/docs/networking/port-forwarding.md b/docs/networking/port-forwarding.md
@@ -84,31 +84,24 @@ Valid `share` values include `owner` - private to the user, `authenticated` - ac
 
 ![Port forwarding from an app in the UI](../images/coderapp-port-forward.png)
 
-## SSH
+### Cross-origin resource sharing (CORS)
 
-First, [configure SSH](../ides.md#ssh-configuration) on your
-local machine. Then, use `ssh` to forward like so:
+When forwarding via the dashboard, Coder automatically sets headers that allow
+requests between separately forwarded applications belonging to the same user.
 
-```console
-ssh -L 8080:localhost:8000 coder.myworkspace
-```
+When forwarding through other methods the application itself will need to set
+its own CORS headers if they are being forwarded through different origins since
+Coder does not intercept these cases. See below for the required headers.
 
-You can read more on SSH port forwarding [here](https://www.ssh.com/academy/ssh/tunneling/example).
-
-## Cross-origin resource sharing (CORS)
-
-Coder automatically sets headers that allow requests between separately
-forwarded applications belonging to the same user.
-
-### Authentication
+#### Authentication
 
 Since forwarded ports are private, cross-origin requests must include
 credentials (set `credentials: "include"` if using `fetch`) or the requests
 cannot be authenticated and you will see an error resembling the following:
 
 > Access to fetch at 'https://dev.coder.com/api/v2/applications/auth-redirect' from origin 'https://8000--dev--user--apps.dev.coder.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
 
-### Headers
+#### Headers
 
 Below is a list of the cross-origin headers Coder sets with example values:
 
@@ -126,7 +119,7 @@ The allowed origin will be set to the origin provided by the browser if the
 users are identical. Credentials are allowed and the allowed methods and headers
 will echo whatever the request sends.
 
-### Configuration
+#### Configuration
 
 These cross-origin headers are not configurable by administrative settings.
 
@@ -136,7 +129,7 @@ applications and thus cannot be modified by them. Read more about the difference
 between simple requests and requests that trigger preflights
 [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests).
 
-### Allowed by default
+#### Allowed by default
 
 <table class="tg">
 <thead>
@@ -199,3 +192,14 @@ between simple requests and requests that trigger preflights
 </table>
 
 > '\*' means `credentials: "include"` is required
+
+## SSH
+
+First, [configure SSH](../ides.md#ssh-configuration) on your
+local machine. Then, use `ssh` to forward like so:
+
+```console
+ssh -L 8080:localhost:8000 coder.myworkspace
+```
+
+You can read more on SSH port forwarding [here](https://www.ssh.com/academy/ssh/tunneling/example).
