Add new CORS rules for Chromium

[tresf]

Summary:

[Chromium will] begin requiring servers on a user's machine (127.0.0.1) or intranet (as defined by RFC1918) to explicitly opt-in to connections originating from the public internet.

• Chromium Bug Report: https://bugs.chromium.org/p/chromium/issues/detail?id=590714
• RFC: https://wicg.github.io/cors-rfc1918/#framework

This impact was originally anticipated and unwelcomed (Dropbox authors opposed this), but the recent change to fix this with CORS is much preferred. It means services (such as Dropbox, QZ Tray) can explicitly opt-in for connection attempts/internet-originated traffic.

Assigning to @bberenz to investigate and add the necessary CORS connection headers. Any further information (such as how to test such a change, when this will land in production version of Chrome, etc) are welcome.

[akberenz]

It looks like the websocket portion of this revision is still under consideration and a decision between headers/preflights/both hasn't yet been made. 3.2, i#4 I'm not sure it makes sense for us to add anything yet until this gets into a more determined state.

[tresf]

@bberenz we'll need it for the JSON API (e.g. https://localhost:8181/json) through https:// so we can prepare a branch/PR in advance to cover one and potentially cover the other now, no?