Not sure if this is to late but I solved it by setting:
res.setHeader("Access-Control-Allow-Origin", req.headers.origin);
This will simply allow every connection as the headers.origin will be sent with every query.
You may want to write a function to check if the req.headers.origin is a whitelisted domain (from a hardcoded array) and the simply return this domain if it exists in the array.
