Enable CORS on specific domains

[fuse]

When dealing with authenticated cross domain requests, we can’t use wilcard for Access-Control-Allow-Headers.

In that case we need to be specific about domains we want to allow. This pull request permits it.