Only return CORS headers in the response as required
- Split out responses of preflight and actual CORS requests
- If the request is not CORS valid, don't set the CORS response headers
Note that invalid CORS requests should not actually throw error
responses, the client should simply not handle the response because the
response does not have the right headers (it's a client side policy
error not an http error). We do throw a 403 for a mismatch with the
queryparam, but since that is 'outside' of the spec, that might be
appropriate.
Bug: T76701
Change-Id: Ib296c68babe5c0b380268ee7793b3d6d35b9c3e3