CORS settings are not configurable

[matoro]

It appears based on the code here that the CORS domain is hardcoded to a wildcard allow list. This conflicts with reverse proxies which add an additional Access-Control-Allowed-Origin header and also defeats the purpose of CORS restrictions in allowing the server owner to determine who is allowed to directly issue requests from arbitrary webpages. Could this setting please be made configurable in order to allow a server to secure itself from cross-origin requests?