feat(signup): adds X-CSRFToken to cors (#42199)

This PR adds the `X-CSRFToken` to the allowed CORS headers. This is
needed to enable testing signup locally (i.e. running the static sites
repo) because they will run on different domains (unlike in prod).

src/sentry/api/base.py

@@ -86,7 +86,7 @@ def allow_cors_options(func):
         response["Access-Control-Allow-Headers"] = (
             "X-Sentry-Auth, X-Requested-With, Origin, Accept, "
             "Content-Type, Authentication, Authorization, Content-Encoding, "
-            "sentry-trace, baggage"
+            "sentry-trace, baggage, X-CSRFToken"
         )
         response["Access-Control-Expose-Headers"] = "X-Sentry-Error, Retry-After"
 

tests/sentry/api/test_base.py

@@ -81,7 +81,7 @@ class EndpointTest(APITestCase):
         assert response["Access-Control-Allow-Headers"] == (
             "X-Sentry-Auth, X-Requested-With, Origin, Accept, "
             "Content-Type, Authentication, Authorization, Content-Encoding, "
-            "sentry-trace, baggage"
+            "sentry-trace, baggage, X-CSRFToken"
         )
         assert response["Access-Control-Expose-Headers"] == "X-Sentry-Error, Retry-After"
         assert response["Access-Control-Allow-Methods"] == "GET, HEAD, OPTIONS"
@@ -121,7 +121,7 @@ class EndpointTest(APITestCase):
         assert response["Access-Control-Allow-Headers"] == (
             "X-Sentry-Auth, X-Requested-With, Origin, Accept, "
             "Content-Type, Authentication, Authorization, Content-Encoding, "
-            "sentry-trace, baggage"
+            "sentry-trace, baggage, X-CSRFToken"
         )
         assert response["Access-Control-Expose-Headers"] == "X-Sentry-Error, Retry-After"
         assert response["Access-Control-Allow-Methods"] == "GET, HEAD, OPTIONS"