gateway: add CORS to specs

[lidel]

Currently, gateway specs leave CORS to implementers, but various things will not work on public gateways (path, subdomain, and trustless) unless relaxed CORS is set, like we do in boxo/gateway.

Tasks

Beta Give feedback

1. add https://specs.ipfs.tech/http-gateways/cors - a standalone spec documenting CORS behavior on different gateway types and use cases.
2. make existing path gateway, subdomain gateway (mention caveat from webui: CORS issue on Peers page breaks geoip kubo#9983 (comment)), trustless, dnslink refer the cors spec + describe only own delta
3. make existing routing/v1 specs refer to it as well
4. resolve open question about Cache-Control (gateway: CORS and Cache-Control: only-if-cached #400)
5. make sure it covers CORS, Vary: Origin, and HTTP Caching ramifications identified in Fix HTTP Caching of Public Goods responses (remove Vary: Origin) ipshipyard/waterworks-community#7