fix: prevent duplicate Access-Control-Allow-Origin header when origin…

[mkrou]

…s is empty

When CORS origins configuration is empty, disable CORS headers to avoid conflicts with proxied server's CORS headers. This prevents duplicate Access-Control-Allow-Origin headers when killgrave is used as a proxy.

• Add AllowedOriginValidator that returns false when origins is empty
• Add comprehensive tests for PrepareAccessControl function
• Maintain backward compatibility for non-empty origins configuration

Fixes issue where empty origins list would cause gorilla/handlers to add default '*' origin header, conflicting with proxied server headers.