Ok, I understand now. I didn't realize this was for the API JSON output. I can definitely add this to the pre-release module I am building for you.
Here is a link to how I will implement it, the section on Filter requests for CORS about half way down the page is what I will be doing and is all you need to read to get an idea of how it will work.
These are the 4 headers that I am planning on allowing, is this sufficient or would you prefer a free-text type of system where all you need to do is supply name/value pairs that will be added as headers to all response? Either way you will be allowed to change the values for the headers, they will not be hard coded as in the above example.