* Improve and simplify code handling CORS
* Don't execute request when origin not allowed
Fix vulnerability
* Remove webCorsOrigin legacy option
It's confusing (and potentially insecure as removing webCorsOrigin in configuration would still set it to localhost)
* Allow 127.0.0.1 and browser extension if localhost allowed