this commit makes the API handler short circuit the request if the
CORS headers say its not allowed. (the CORS handler only sets the
headers, but does not short-circuit)

It also makes the handler respect the referer again. See security
discussion at https://github.com/ipfs/go-ipfs/issues/1532

License: MIT
Signed-off-by: Juan Batiz-Benet <juan@benet.ai>