Add "Access-Control-Expose-Headers" for X-Quota-Current and X-Quota-Limit response headers, so they are accessible to clients calling the API via Ajax

[zarino]

The MapIt documentation says that:

All API responses include your current usage and limit in the X-Quota-Current and X-Quota-Limit response headers.

But, CORS restrictions mean that browsers strip most headers from Ajax responses by default, so if you’re calling MapIt via Ajax, you can’t see those Quota headers.

It sounds like the expectation is that servers indicate which headers should be passed to the client, by providing them as a comma-separated list (or the string *) under another Access-Control-Expose-Headers header.

I guess we’d want to add that to the response dicts in output_json and output_polygon, in shortcuts.py, the same as we do for the Access-Control-Allow-Origin header? eg:

response["Access-Control-Expose-Headers"] = "X-Quota-Current, X-Quota-Limit"

@dracos Given these headers might be handy for something we’re building in the Climate team, I’m happy to do a PR for this, if you agree with the approach?