Remove partial support for CORS on webfinger routes and replace
it with the Rack::Cors middleware. This provides more complete
CORS support and works around a caching issue with nginx on
Heroku and potentially other reverse proxies.

CORS headers are only added if the incoming request includes
an "Origin" header, which seems to be correct according to
the CORS spec.

closes #2216