Allow configuring CORS from the backend.yaml

[NathanFlurry]

This is a backend-wide configuration for the HTTP server itself, not something specific to modules. So this needs to be configured for the entire project.

This should have a default of no CORS in order to prevent unrestricted 3rd party sites. If CORS is disabled (like by default), send Access-Control-Allow-Origin: null

Example backend.yaml:

interface ProjectConfig {
  runtime?: RuntimeConfig,
  // ...
}

interface RuntimeConfig {
  // if null, send cors but don't
  cors?: CorsConfig,
}

interface CorsConfig {
  origins: string[]
  // all other cors options are configured by us
}