updates the local API service to include CORS headers

[jlapier]

Previous to this commit, sam local api would only return CORS headers when an OPTIONS request is made. This causes issues for browsers, which expect at the very least "Access-Control-Allow-Origin" to be present on other HTTP methods. This commit adds the "Access-Control-Allow-Origin" header to a request if it is made with one of the Allowed-Methods.

References:

• Fetch spec on CORS: https://fetch.spec.whatwg.org/#cors-request
• Examples from Mozilla: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
• API Gateway doc on when to supply CORS headers: https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-cors.html

Which issue(s) does this change fix?

#1460

Why is this change necessary?

In order to test a local UI against a local API via sam, proper CORS headers are required or the browser will reject the requests.

How does it address the issue?

Adds the Access-Control-Allow-Origin header if a CORS configuration is present for the API.

What side effects does this change have?

The CORS header behavior is not entirely predictable for REST APIs, according to the AWS API Gateway docs. This change may mask a need to include the headers at the integration point. However, for HTTP APIs, the behavior is much more predicable and this change is consistent with that behavior.

Checklist

• [ ] Add input/output type hints to new functions/methods
• [ ] Write design document (Do I need to write a design document?)
• [ ] Write unit tests
• [ ] Write/update functional tests
• [x] Write/update integration tests
• [x] make pr passes
• [ ] make update-reproducible-reqs if dependencies were changed
• [ ] Write documentation

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.