The OAuth2 token endpoint has a completely open CORS rules. There's enough security here using other mechanisms that there's no risk here.
Other endpoints by default have no CORS rules, but this can be turned on with the cors.allowOrigin database setting. When this is on, it overrides the OAuth2 cors rules and token gets the same restriction as cors.allowOrigin. Im not sure if this is what we want.
The OAuth2 token endpoint has a completely open CORS rules. There's enough security here using other mechanisms that there's no risk here.
Other endpoints by default have no CORS rules, but this can be turned on with the
cors.allowOrigindatabase setting. When this is on, it overrides the OAuth2 cors rules and token gets the same restriction ascors.allowOrigin. Im not sure if this is what we want.