3.3.8 regression: corsOrigin * no longer allowed

Created by: slimsag

Setting "corsOrigin": "*" no longer works in 3.3.8+, Sourcegraph does not respond with the proper Access-Control-Allow-Origin header in OPTIONS request responses.

This appears to only affect non-browser extension requests, since those originate from a known origin, which explains why we did not catch this. A customer is relying on the behavior of this outside of a browser extension scope, though, to more generally configure CORS responses from Sourcegraph which seems very reasonable to support in an API context.

This regression appears to have occurred in https://github.com/sourcegraph/sourcegraph/commit/34caedf364b18559ce62f7cba036d6cd890de179#diff-16c810a296953d51a6e43ae5f7d5fd74L138 because isAllowedOrigin fails whereas before we set the header regardless:

https://github.com/sourcegraph/sourcegraph/blob/87932e2986a4d758199726acf1b9b6deb1962396/cmd/frontend/internal/cli/http.go#L147

To fix, we should update this function to support * properly or revert the relevant part of the bad commit:

https://github.com/sourcegraph/sourcegraph/blob/87932e2986a4d758199726acf1b9b6deb1962396/cmd/frontend/internal/cli/serve_cmd.go#L274-L281

407948923