improve REST interface security When using REST, we reflect the client's origin. If the wildcard '*' is used in allowed_api_origins all origins are allowed. When this is done, it also added an 'Access-Control-Allow-Credentials: true' header. This Credentials header should not be added if the site is matched only by '*'. This header should be provided only for explicit origins (e.g. https://example.org) not for the wildcard. This is now fixed for CORS preflight OPTIONS request as well as normal GET, PUT, DELETE, POST, PATCH and OPTIONS requests. A missing Access-Control-Allow-Credentials will prevent the tracker from being accessed using credentials. This prevents an unauthorized third party web site from using a user's credentials to access information in the tracker that is not publicly available. Added test for this specific case. In addition, allowed_api_origins can include explicit origins in addition to '*'. '*' must be first in the list. Also adapted numerous tests to work with these changes. Doc updates.

import operator

class MultiMapping:
    def __init__(self, *stores):
        self.stores = list(stores)
    def __getitem__(self, key):
        for store in self.stores:
            if key in store:
                return store[key]
        raise KeyError(key)
    _marker = []
    def get(self, key, default=_marker):
        for store in self.stores:
            if key in store:
                return store[key]
        if default is self._marker:
            raise KeyError(key)
        return default
    def __len__(self):
        return sum([len(x) for x in self.stores])
    def push(self, store):
        self.stores.append(store)
    def pop(self):
        return self.stores.pop()
    def items(self):
        l = []
        for store in self.stores:
            l = l + list(store.items())
        return l