Hi Jon,
Very good question. I've been trying to plunk around with generating an SAPUI5 app, pointing to SAP API Management, but alas my UI5 skills are not yet where I'd like them to be. So my response will be a bit more theoretical than I typically like it to be.
The short answer is, yes, SAP API Management can be configured to support CORS between an App and its API data source. We are still in the process of generating more robust documentation around how to do that, but in the short term, I can provide a small look into how to do it.
In SAP API Management, there is a policy called "Assign Message" whose function is to add data into the stream, e.g. headers, queryparams, etc. in here we add headers to allow the cross origin request. This policy would be placed in the TargetEndPoint Response flow.
Code:
<AssignMessage async="false" continueOnError="false" enabled="true" xmlns='http://www.sap.com/apimgmt'>
<Add>
<Headers>
<Header name="Access-Control-Allow-Origin">*</Header>
<Header name="Access-Control-Allow-Headers">origin, x-requested-with, accept </Header>
<Header name="Access-Control-Max-Age">3628800</Header>
<Header name="Access-Control-Allow-Methods">GET, PUT, POST, DELETE</Header>
</Headers>
</Add>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<AssignTo createNew="false" type="response">response</AssignTo>
</AssignMessage>
This is the simple scenario, where the target supports the Preflight method. If this is not supported, more advanced policy controls will need to be added. I hope that this helps answer your question.
Regards,
Elijah