Lock down the api to a single domain

[tmutton]

In issue #1 we added the ability to make cross domain posts but now we'd like to make this more secure by making posts available to a single domain.

This can be achieved by changing the property in the web section of the arm template from:

"cors": {
              "allowedOrigins": [
                "*"
              ]
            }

to:

"cors": {
              "allowedOrigins": [
                "http://yourdomain.com"
              ]
            }

The domain should be taken from a parameter filled out by the user upon deployment setup.

[tmutton]

After spending a bit of time researching this I figured out the code below needs to go in "properties" of the web site resource.

"siteConfig": {
          "cors": {
            "allowedOrigins": [
              "http://myDomain.com"
            ]
          }
        }

This solution requires more thinking because the user may not have a live domain. This ideally should be an optional parameter (preferably comma delimited to reflect the destination type). We also need to think about what happens when they don't specify a value. Will the system fail or enter an empty record?

I will add in the wiki that the user should be entering this information manually for now until we find a suitable solution.