Working with the CORS plugin has proven quite hard in my testing experience.

Installing it immediately makes all requests fail, including just simple GET requests that don't have an "Origin" header.

This is very anti-ergonomic. We should only block requests that might be using CORS, and use an InterceptorConfig to relax the protection of specific handlers.

The default behavior of the plugin should be to make an application that doesn't make use of CORS behave exactly as before, but reject all CORS requests.

Then users could relax the behavior on specific endpoints.