add permissive CORS response header
* for the SPA web app:
- requests are sent one-way to the server
- responses are ignored
* commands are issued
* nothing meaningful is communicated back
- lack of a CORS response header results in:
* the browser blocking data in the response
* a warning logged to the javascript console
- adding this header:
* makes no functional difference
* prevents the log messages
* for other web clients:
- there are AirPlay endpoints that return metadata
- if any of this data is queried,
this CORS header will permit the client to read it