webhooks: Update CORS policy

[ParkMyCar]

This PR updates the CORS policy for the webhook endpoint to explicitly support all origins by mirroring the origin in the request, and limiting to just POST requests.

Note: I chatted with Matt Arthur about this and he signed off on it.

Motivation

@bobbyiliev was working on a tool that can take a sample JSON blob and send faked data with that same schema. But he was encountering CORS issues related to localhost. This change to the CORS policy should be more permissive and allow a tool like Bobby's to work without issue.

Checklist

• This PR has adequate test coverage / QA involvement has been duly considered.
• This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
• If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
• If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).
• This PR includes the following user-facing behavior changes:
  • Relaxes the CORS policy for the webhook API.