fix(@angular-devkit/build-angular): remove unconditional CORS wildcard from webpack dev-server

The legacy webpack-based dev-server unconditionally sets
`Access-Control-Allow-Origin: *` on every response. This overrides
webpack-dev-server v5's cross-origin protections and leaves the local
dev server readable by any web page the developer visits in the same
browser session.

The modern `@angular/build` dev-server (Vite-based) already does not
set this header by default; its test contract explicitly asserts that
`Access-Control-Allow-Origin` is absent unless the user configures it.
This change brings the legacy webpack dev-server in line with that
contract.

Users who relied on the previous behavior can opt back in explicitly
via the existing `headers` option in `angular.json`:

  "serve": {
    "options": {
      "headers": { "Access-Control-Allow-Origin": "*" }
    }
  }