CORS preflight

Handled by the CORS middleware when cors_origins is configured on the agent. The middleware returns the usual Access-Control-* headers so browser clients on allowed origins can make the follow-up GET.