feat: handle Chrome CORS preflight private network header

[randing89]

Based on https://developer.chrome.com/blog/private-network-access-preflight/

Chrome will start sending a CORS preflight request ahead of any private network request for a subresource, which asks for explicit permission from the target server. This preflight request will carry a new header, Access-Control-Request-Private-Network: true, and the response to it must carry a corresponding header, Access-Control-Allow-Private-Network: true.

This fixes #290 and #236