If you want to allow any domain to call your endpoint as per the comment in your code, you would use a wildcard instead of this.request.headers.origin
//The server allows any domain to call it with the XMLHttpRequest
this.response.setHeader("Access-Control-Allow-Origin", "*");