security: make CORS enforcement of non-API routes even more strict
Created by: slimsag
This PR is stacked on top of #27240.
There are three commits:
- The first has no behavior change, it just moves code around to make te next commit even more clean and make the logic more legible.
- The second:
- Forbids cross-origin requests for all non-API routes, even if they are from an allowed origin in the site config
corsOriginsetting. - Effectively makes
corsOriginonly configure cross-origin access of our API routes. i.e. because a cross-origin request for verify email, sign out, etc. never makes any sense, we should be more strict. - Fixes sourcegraph/security-issues#176
- Forbids cross-origin requests for all non-API routes, even if they are from an allowed origin in the site config
- The third updates our CSRF threat model document to reflect the improvements.