As of f814dd9908355465dd03735f4589dd1697b3658a, debug
mode causes an extra X-Debug-Mode header to be sent
by the rpc() JS method.
This custom header was not whitelisted in the accepted
CORS headers, therefore any cross-origin call to a route with
`cors=True` would fail in debug mode, with a console error
along those lines:
"Request header field X-Debug-Mode is not allowed by
Access-Control-Allow-Headers in preflight response"
This would prevent loading the POS GUI in debug mode,
for example.
This commit is necessary in the 8.0 branch because
the POSBox is currently based on a 8.0 server and may
be accessed by a 9.0 POS or later, thus with the extra header.