Fix CORS header configuration

Cross-Origin-Resource-Policy (CORP) can only be used to tighten restrictions which would not even be inhibited by the same origin policy, e.g. images and scripts.

But we want scripts to be able to CORS-enabled requests to our API and CORP does not help with that at all. We do need to explicitly add the Access-Control-Allow-Origin (ACAO) header to let the scripts running in the CMS access our API.