improve REST interface security When using REST, we reflect the client's origin. If the wildcard '*' is used in allowed_api_origins all origins are allowed. When this is done, it also added an 'Access-Control-Allow-Credentials: true' header. This Credentials header should not be added if the site is matched only by '*'. This header should be provided only for explicit origins (e.g. https://example.org) not for the wildcard. This is now fixed for CORS preflight OPTIONS request as well as normal GET, PUT, DELETE, POST, PATCH and OPTIONS requests. A missing Access-Control-Allow-Credentials will prevent the tracker from being accessed using credentials. This prevents an unauthorized third party web site from using a user's credentials to access information in the tracker that is not publicly available. Added test for this specific case. In addition, allowed_api_origins can include explicit origins in addition to '*'. '*' must be first in the list. Also adapted numerous tests to work with these changes. Doc updates.

''' Wrapper for getargspec to support other callables and python 3 support

In python 3 just uses getfullargspec which handles regular functions
and classes with __call__ methods.
'''

try:
    # Python 3+
    from inspect import getfullargspec as getargspec
    findargspec = getargspec
except ImportError:
    # Python 2.5-2.7 modified from https://bugs.python.org/issue20828
    import inspect

    def findargspec(fn):
        if inspect.isfunction(fn) or inspect.ismethod(fn):
            inspectable = fn
        elif inspect.isclass(fn):
            inspectable = fn.__init__
        elif callable(fn):
            inspectable = fn.__call__
        else:
            inspectable = fn

        try:
            return inspect.getargspec(inspectable)
        except TypeError:
            raise