docs: deprecate daemon's api-cors-header flag

[akerouanton]

Related to:

• Deprecate dockerd api-cors-header parameter moby/moby#45313

- What I did

Update the "Deprecated Engine Features" doc page to warn about daemon's api-cors-header deprecation.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 61.31%. Comparing base (57a1180) to head (9d9bb19).
Report is 16 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5085      +/-   ##
==========================================
- Coverage   61.32%   61.31%   -0.01%     
==========================================
  Files         298      295       -3     
  Lines       20706    20701       -5     
==========================================
- Hits        12698    12693       -5     
+ Misses       7106     7105       -1     
- Partials      902      903       +1     

[thaJeztah]

Wondering if we can make this description more generic; Authz plugins are one way to do this, but are also a bit of a corner-case use (there may be many other approaches). The authz plugin feature also isn't very actively maintained, so somewhat trying to avoid it coming across as a recommendation.

cc @dvdksn in case you have good suggestions.

[dvdksn]

could we just pretend Authz was short for authorization?

Suggested change

	Daemon's `api-cors-header` flag is deemed insecure as it could be enabled
	without any Authz plugin enabled beforehand.
	Daemon's `api-cors-header` flag is deemed insecure as it could be enabled
	without any authorization plugin enabled beforehand.

[dvdksn]

Here's another try from me:

Suggested change

	Daemon's `api-cors-header` flag is deemed insecure as it could be enabled
	without any Authz plugin enabled beforehand.
	The `api-cors-header` configuration option for the Docker daemon is insecure,
	and is therefore deprecated and scheduled for removal.
	Incorrectly setting this option could leave a window of opportunity
	for unauthenticated cross-origin requests to be accepted by the daemon.
	Starting in Docker Engine v27.0, this flag can still be set,
	but it has no effect unless the environment variable
	`DOCKERD_DEPRECATED_CORS_HEADER` is also set to a non-empty value.
	This flag will be removed altogether in v28.0.
	This is a breaking change for authorization plugins and other programs
	that depend on this option for accessing the Docker API from a browser.
	If you need to access the API through a browser, use a reverse proxy.

[akerouanton]

Thanks @dvdksn!

[thaJeztah]

LGTM

[thaJeztah]

I'll bring this one in; one more thing we may need to consider is to add some notes on https://github.com/docker/cli/blob/6a4d38c7f2fe17351f78ff9dfe7ec2ee9b15f1df/docs/reference/dockerd.md

The dockerd docs are not (yet) generated from Cobra, so that means we won't have a table with options / annotations that flags are deprecated. And we also have the option documented for the daemon.json config.

@dvdksn if you have any good ideas how to update those docs; let me know. I don't expect it to be a popular option, but .. well .. someone, somewhere will likely use it.