Added access control header for start mode

no refs

- since portal script is loaded with `crossorigin:anonymous` now, we need to pass in the access control headers for script to bypass cors check

ghost/portal/scripts/start-mode.js

@@ -131,6 +131,9 @@ function startDevServer() {
                     headers: [{
                         key: 'Cache-Control',
                         value: 'no-cache'
+                    },{
+                        key: 'Access-Control-Allow-Origin',
+                        value: '*'
                     }]
                 }
             ]