Setup CORS headers

For now, only allow GET.

I did try rack-cors, but unfortunately with the given config I could not manage to set the headers properly (I don't exactly know where this comes from, the config is executed, but nothing comes up in the headers); the configuration is simple enough that we can set this directly rather than debug our whole middleware.