Configure CORS

[manthey]

Make it straightforward to configure CORS for access to RESTful endpoints.

For testing access from an external web app, I've hacked in CORS headers on an OPTIONS request and on general responses. It should be something configurable (perhaps even a setting) to determine which origins are allowed.

[manthey]

I'm working on adding CORS support. I'm not sure how restrictive I should make the server side of things. A lot of the security that CORS adds assumes you are using a benign client that properly sends an accurate Origin header. If the client send a false Origin header, the server will serve the response regardless.

Given the assumption of an honest Origin header, I can make the server more or less restrictive as we see fit.

In the most restrictive mode, we can (a) fail some requests if they are missing Origin, (b) check to make sure methods are allowed both in the preflight OPTIONS request and during the actual METHOD, (c) check to make sure only approved headers have been sent. All of this adds some overhead to every request.

In the least restrictive implementation, we can (a) let through any request without an Origin, (b) only check which methods are allowed in preflight (this means that if we said that the DELETE method wasn't approved, we are relying on a browser not sending one, for instance), (c) expect the client to police the headers.

The actual specification http://www.w3.org/TR/cors/ is non-normative on these points.

[manthey]

Added in PR #549.