Allow all headers in CORS requests

Temporary workaround if we do not want to maintain a whitelist.

server/http.go

@@ -445,6 +445,7 @@ func (h *Server) Handler() http.Handler {
 	// Add CORS headers on the main SSO API endpoint.
 	c := cors.New(cors.Options{
 		AllowedOrigins:   h.allowedOrigins,
+		AllowedHeaders:   []string{"*"},
 		AllowCredentials: true,
 		MaxAge:           86400,
 	})