Lack of CORS headers (access-control-allow-origin) should force a space into cache mode

[eastein]

https://github.com/SpaceApi/validation-plugins/blob/master/headers-hosting-consideration.php is the warnings code as is

see issue #36 for history background.

We need to have some way of dealing with the fact that lack of CORS header makes it totally unusable for a js web application to try to hit the spaces directly. As much as we would rather everyone fixed their end point, it would be nice to fix the issue from the API central point. We could make it be in 10 minute cache or even an hour, so as to penalize the spaces for failing to comply.

[slopjong]

Here's the list with spaces that don't respect the acao header: http://pastebin.com/raw.php?i=7DtVuFgN

[brimstone]

I think that apps should be able to function without the directory, keeping the spaceapi as distributed as possible.
I think that proper CORS headers should be required for 0.14.
I think it would be nice to continue to cache the endpoints as we currently do, and provide a ?cached=true option of some sort to the directory for apps that don't required live data or are OK with a third party caching the endpoints.