improve REST interface security When using REST, we reflect the client's origin. If the wildcard '*' is used in allowed_api_origins all origins are allowed. When this is done, it also added an 'Access-Control-Allow-Credentials: true' header. This Credentials header should not be added if the site is matched only by '*'. This header should be provided only for explicit origins (e.g. https://example.org) not for the wildcard. This is now fixed for CORS preflight OPTIONS request as well as normal GET, PUT, DELETE, POST, PATCH and OPTIONS requests. A missing Access-Control-Allow-Credentials will prevent the tracker from being accessed using credentials. This prevents an unauthorized third party web site from using a user's credentials to access information in the tracker that is not publicly available. Added test for this specific case. In addition, allowed_api_origins can include explicit origins in addition to '*'. '*' must be first in the list. Also adapted numerous tests to work with these changes. Doc updates.

class StringFragmentCmpHelper:
    def compareStringFragments(self, s, fragments):
        """Compare a string agains a list of fragments where a tuple denotes a
        set of alternatives
        """
        pos = 0
        for frag in fragments:
            if type(frag) != tuple:
                self.assertEqual(s[pos:pos + len(frag)], frag)
                pos += len(frag)
            else:
                found = False
                for alt in frag:
                    if s[pos:pos + len(alt)] == alt:
                        pos += len(alt)
                        found = True
                        break

                if not found:
                    l = max(map(len, frag))
                    raise AssertionError('%s != %s' %
                                         (repr(s[pos:pos + l]), str(frag)))
        self.assertEqual(s[pos:], '')