Add CORS headers to the HTTP server

[kaizen403]

No CORS headers are set on any response, so browser-based clients get blocked. Add Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers headers, and handle OPTIONS preflight requests.