Plug that validates the Origin request header against an allowlist.
Reads the allowlist from conn.private[:allowed_origins]. Behavior:
nilor"*"— no restriction, all origins allowed- A list of strings — only those origins are allowed
- OPTIONS requests always pass (CORS preflight)
- Requests without an
Originheader pass (browser-less clients don't send it) - Disallowed origins receive a 403 JSON error response