fix(event_handler): CORS Behaviour changes

[sthulb]

Issue number: #4589

Summary

Ensures CORS behaviour is correct.

Changes

Please provide a summary of what's being changed

Scenario	Old Behaviour	New Behaviour
Default/Empty CORSConfig	Sets Origin header as ACA-Origin regardless	Returns *, disables ACA-Credentials
CORSConfig has allowed_origins	Sets Origin header as ACA-Origin regardless	Returns correct origin for ACA-Origin
CORSConfig is set with domains and * in allowed_origins	Sets Origin header as ACA-Origin regardless	If no matching Origin is found, it will return * and disables ACA-Credentials

The disabling of Access-Control-Allow-Credentials to prevent server-side credentials being returned to non-named origins.

User experience

Please share what the user experience looks like before and after this change

Checklist

If your change doesn't seem to apply, please leave them unchecked.

• [X] Meet tenets criteria
• [X] I have performed a self-review of this change
• [X] Changes have been tested
• [X] Changes are documented
• [X] PR title follows conventional commit semantics

Is this a breaking change?

**RFC issue number**: Checklist: * [ ] Migration process documented * [ ] Implement warnings (if it can live side by side)

Acknowledgment

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Disclaimer: We value your time and bandwidth. As such, any pull requests created on non-triaged issues might not be successful.

[sonarcloud[bot]]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud