Simplify Whitelisted Headers

[rymndhng]

Refactor simple-headers-wo-content-type to access-control-request-headers-whitelist.

The whitelist behaves differently by set/difference-ing access-control-request-headers instead of set/union the access-control-allowed-headers. This way, we do not put unnecessary headers in the response access-control-allowed-headers.

From testing, the only required header in the whitelist is "Origin". Safari always sends this in "Access-Control-Request-Headers" during pre-flight, whereas the Firefox and Chrome do not.