Set a restrictive CORS policy on the API for credentialed requests

Cross-origin requests can still be made, as long as the client doesn't
use the Rails session cookie to do so. Existing clients should not
be setting 'withCredentials: true', so this should be fine.