security: make CORS enforcement of non-API routes even more strict
There are no commits yet
Push commits to the source branch or add previously merged commits to review them.
Created by: slimsag
This PR is stacked on top of #27240.
There are three commits:
corsOrigin
setting.corsOrigin
only configure cross-origin access of our API routes. i.e. because a cross-origin request for verify email, sign out, etc. never makes any sense, we should be more strict.
Push commits to the source branch or add previously merged commits to review them.