CORS is often tricky for application developers and is an unfamiliar concept for platform admins. Let's document how Coder handles CORS for port-forwarded applications. Specifically:

• What headers does Coder set?
• How can these headers be disabled (by the application developer or Coder admin)
• What types of requests are allowed, by default?
• What types of requests can be enabled/disabled by setting headers?
• Can the application override these headers?
• Is there any "Eventual work" from the RFC that we plan to do? If so, link to the GitHub issue
• Docs for which of the following is enabled by default / enable-able / unsupported:
  • Local machine -> Subdomain app
  • Subdomain app from user 1 workspace -> Subdomain app from user 2 workspace
  • Subdomain app from user 1 workspace 1 -> Subdomain app from user 1 workspace 2
  • Subdomain app from user 1 workspace 1 -> Another subdomain app from user 1 workspace 1

This can, of course, be a tiny section, but it would be awesome to have a document we can refer Coder admins (and end users) to which explains this. Here is an example.

I think we can put this in our "port forwarding" docs, or as a separate section under "Networking:" https://coder.com/docs/v2/latest/networking/port-forwarding