security: make CORS enforcement of non-API routes even more strict

Created by: slimsag

This PR is stacked on top of #27240.

There are three commits:

• The first has no behavior change, it just moves code around to make te next commit even more clean and make the logic more legible.
• The second:
  • Forbids cross-origin requests for all non-API routes, even if they are from an allowed origin in the site config corsOrigin setting.
  • Effectively makes corsOrigin only configure cross-origin access of our API routes. i.e. because a cross-origin request for verify email, sign out, etc. never makes any sense, we should be more strict.
  • Fixes sourcegraph/security-issues#176
• The third updates our CSRF threat model document to reflect the improvements.