Added modifiable Access-Control-Allow-Headers

[rodkeys]

Added modifiable Access-Control-Allow-Headers list to sample config and app.js . Without setting accepted headers browser CORS requests, by default, return "Request header field xxx is not allowed by Access-Control-Allow-Headers in preflight response".