JSON auth should set 'Access-Control-Allow-Origin = *'

Setup:

• Guacamole/guacd: 1.5.2, Docker versions
• Browser: Chrome & Firefox (latest)

I'm trying to use the JSON auth and running into a problem where after doing the POST to '<guacamole>/api/tokens' the response (that contains the required login token) is getting blocked due to CORS.  Everything works fine otherwise, I can even see the log entry in Guacamole that the login was successful.  But the browser is blocking the response due to CORS.

I've got a javascript app (Vue if it matters) running in the browser making the POST call.

What I think should happen (and admitting I'm not an expert in CORS) is that the response to the POST call should set the 'Access-Control-Allow-Origin = *' header in the response to allow the browser to let my app see the response.

I've tried a few simple tests, like using Chrome plugins to either 1) disable CORS checks or 2) set the 'Access-Control-Allow-Origin = *' header in the POST response, and both "fix" the problem.