guidelines : 
----------

- rules should be based on host
- rules depending on the resource :
  - server : rules defined in .ini
  - db : rules defined in .db

- default cors policy (open for discussion)
    - allows credential = false
    - cors enabled
- cors can be disabled globally


rules definiton : 

global wide

[httpd]
cors_enabled = true

[origins]
domain.tld = http://origin.tld, https://origin.tld

[http://origin.tld]
allow_methods = GET, POST
allow_headers = x-couchdb-...
allow_credentials = false


[https://origin.tld]
allow_methods = GET, PUT, POST, DELETE
allow_headers = x-couchdb-...
allow_credentials = true
allow_server_admins = true
max-age = 36000


on the db _security object :
{
    "origins": {
        "domain.tld": [
            {"http://origin.tld": { "allow_methods": "GET, POST",
...}
        ]
    }
}


work flow : 

is the 'origins' section empty in ini ?
yes -> is admin party set ? 
  yes -> return "*" , credentials false (with a good caching policy)
  no -> stop
no ->
  run the following steps [apply cors steps]
    is Host in 'origins' ?
    yes ->
      is Origin in 'origins[Host]' ?
      yes ->
        set the cors headers based on 'origins[Host]'
        are we on a db resource ?
          yes ->
            repeat 'apply cors steps' with the db _security object instead of the .ini
          no ->
            succeed
      no -> fail 
    no ->
      <bikeshed defaults>