CORS should be disabled for allowed clients

[simonv3]

If we want apps in different places to be able to use the id service (and the resulting user-api, tracks-api/v3) then we need to say that their origins are trusted. For example, if someone is developing on localhost:8080 they should be able to develop the stream app. Beam faces a similar issue.

Currently what apps are defined in TrustedOrigins is defined cmd/run_server.go. This looks like it's drawing from the config file here. I'm assuming that that config file actually looks different on the server, and that's just for the dev environment.

I see two options:

1. The easy fix: add localhost:8080 to the config file above.
2. Harder but possibly more future-proof: limit CORS to be only allowable from the default config above alongside any client host locations stored in the DB.

[auggod]

TrustedOrigins is only relevant to csrf and I don't believe this is what we're looking for here.

[simonv3]

Yep, sounds like this was something that needed to be set on the nginx config. It's now fixed!