Have ES give back CORS headers.

I was running into a situation where I needed ES to give back a `Access-Control-Allow-Origin` header. All I had to do was [add a config](https://github.com/Banno/elasticsearch/compare/allow-cors) for ES, but I'm assuming this wouldn't ideal for most use cases to let it be so open to the world by default.  Do you have any thoughts?
