Handle CORS preflight request

Problem/Motivation

If the report is being sent from a different domain than the one receiving reports, Chrome sends a CORS preflight OPTIONS request before submitting reports.
If the preflight response returns an error, Chrome will (1) retry the request after a delay (2) discard the reports after not receiving a 2XX response to the preflight requests.

This should not affect sites handling their own reports, but would prevent e.g. sending all reports to one site in a multi-site setup.

Proposed resolution

Send a 204 response to OPTIONS requests to the report handler route, with the necessary CORS response headers.

Remaining tasks

Allow specifying origin domains to accept CORS preflight from.

User interface changes

API changes

Data model changes