Understand if it is a good idea to always allow CORS

[giovannipizzi]

And if not, maybe add a traitlet to the ProxyBaseHandler to configure whether CORS should be allowed and where (I see two/three points: in general, for the /proxytoken/, and if it should be forced for all proxied request or in that case it is up to the proxied server to expose those headers).