jaegermcp: restrict CORS to explicitly allowed origins

[jkowall]

Motivation

• The MCP HTTP server previously applied a hardcoded wildcard CORS policy, allowing any website to make cross-origin requests and read trace data, creating a data-exfiltration vector.

Description

• Add CORSAllowedOrigins []string (config key cors_allowed_origins) to the Jaeger MCP extension config and keep it nil by default to disable CORS.
• Only wrap the MCP HTTP handler with CORS middleware when the allowlist is non-empty, so CORS is opt-in rather than always enabled.
• Replace the unconditional Access-Control-Allow-Origin: * behavior with an allowlist-based middleware that sets Vary: Origin and returns Access-Control-Allow-Origin/preflight responses only for configured origins.
• Update unit tests to verify allowed-origin preflight behavior and disallowed-origin behavior.

Testing

• make fmt completed successfully.
• make lint was started and progressed through the lint pipeline but did not fully complete within this session.
• make test was started but did not fully complete within this session due to environment time limits.
• Targeted unit tests go test ./cmd/jaeger/internal/extension/jaegermcp -run 'TestCORSPreflight|TestCORSPreflightDisallowedOrigin' were executed but timed out in this environment before finishing.

---

Codex Task

[github-actions]

Hi @jkowall, thanks for your contribution! To ensure quality reviews, we limit how many concurrent PRs new contributors can open:

• Open: 6
• Limit: 1

This PR is currently on hold. We will automatically move this into the review queue once your existing PRs are merged or closed.

Please see our Contributing Guidelines for details on our tiered quota policy.

[yurishkuro]

confighttp should already have cors options. Also, we have a similar pr opened elsewhere.

[jkowall]

Closing this in favor of the upstream Jaeger PR: jaegertracing#8128 jaegertracing#8128