Builds a CORS interceptor that allows calls from the specified `allowed-origins`, which is one of the following:

- a sequence of strings

- a function of one argument that returns a truthy value when an origin is allowed

- a map containing the following keys and values

  :allowed-origins - either sequence of strings or a function as above

  :creds - true or false, indicates whether client is allowed to send credentials

  :max-age - a long, indicates the number of seconds a client should cache the response from a preflight request

  :methods - a string, indicates the accepted HTTP methods.  Defaults to "GET, POST, PUT, DELETE, HEAD, PATCH, OPTIONS"