Remove header:origin from cache key?

[jcushman]

Our Cloudflare cache key currently includes the Origin: header, which is sent by browsers with CORS and POST requests.

This means that sites that use the api (like our search page, or third party sites) will each be in their own cache bucket, which is unnecessary for the most part and inefficient.

The one benefit I know of is that this would let us authorize some domains (like case.law) for credentialed CORS requests by mirroring back Access-Control-Allow-Origin: case.law for those requests. Otherwise we can't do that, because we have to send Access-Control-Allow-Origin: * for general usage.

But I think we can handle that case instead by having authorized sites use the Authorization header, which is also included in our cache key.

SOOOO I currently believe we should drop header:origin from the cache key.