improve REST interface security When using REST, we reflect the client's origin. If the wildcard '*' is used in allowed_api_origins all origins are allowed. When this is done, it also added an 'Access-Control-Allow-Credentials: true' header. This Credentials header should not be added if the site is matched only by '*'. This header should be provided only for explicit origins (e.g. https://example.org) not for the wildcard. This is now fixed for CORS preflight OPTIONS request as well as normal GET, PUT, DELETE, POST, PATCH and OPTIONS requests. A missing Access-Control-Allow-Credentials will prevent the tracker from being accessed using credentials. This prevents an unauthorized third party web site from using a user's credentials to access information in the tracker that is not publicly available. Added test for this specific case. In addition, allowed_api_origins can include explicit origins in addition to '*'. '*' must be first in the list. Also adapted numerous tests to work with these changes. Doc updates.

--- a/test/test_config.py	Tue Feb 21 23:06:15 2023 -0500
+++ b/test/test_config.py	Thu Feb 23 12:01:33 2023 -0500
@@ -305,12 +305,13 @@
         config = configuration.CoreConfig()
 
         with self.assertRaises(configuration.OptionValueError) as cm:
-            config._get_option('WEB_ALLOWED_API_ORIGINS').set("* https://foo.edu")
+            config._get_option('WEB_ALLOWED_API_ORIGINS').set("https://foo.edu *")
+
+        config._get_option('WEB_ALLOWED_API_ORIGINS').set("* https://foo.edu HTTP://baR.edu")
 
-        config._get_option('WEB_ALLOWED_API_ORIGINS').set("https://foo.edu HTTP://baR.edu")
-
-        self.assertEqual(config['WEB_ALLOWED_API_ORIGINS'][0], 'https://foo.edu')
-        self.assertEqual(config['WEB_ALLOWED_API_ORIGINS'][1], 'HTTP://baR.edu')
+        self.assertEqual(config['WEB_ALLOWED_API_ORIGINS'][0], '*')
+        self.assertEqual(config['WEB_ALLOWED_API_ORIGINS'][1], 'https://foo.edu')
+        self.assertEqual(config['WEB_ALLOWED_API_ORIGINS'][2], 'HTTP://baR.edu')