Currently the rest flow is:

  check validity of origin header and log and return if missing/or value not
  acceptable

  check to see if it's a CORS preflight request if so process the request and
  return. All of these are done as the anonymous user since credentials are
  not sent. Currently cors processing only checks to see if the Origin header
  is present, not if it's valid.

  check if user is authorized to use REST, return 403 if not.

I want to change this to:

  check to see if it's a CORS preflight request if so process the request.
  The origin will be validated as part of the change.

  check if user is authorized to use REST returning 403 if not.

  check validity of origin header and log and return if missing/or value not
  acceptable

The old flow allows any user to generate bad origin header logging spam.
The new flow requires the user to have REST access rights to generate bad header
logs. If anonymous is allowed to use rest, logging spam can still be generated.

Since a CORS request is done automatically by the browser, it should always include
an Origin header. Only somebody pretending to be CORS preflight would be missing
the Origin, so I don't think we lose any debugging capability by not logging
a missing Origin header in preflight mode.

Thoughts or concerns?

I have the working, but some 400 errors turn into 403 errors. This happens for
malformed CORS preflight requests. Also if an Origin is invalid, but the user
doesn't have REST access, the returned code is now 403 when it was 400 before.

I don't think this is a problem. For CORS, an error is an error so I claim
400 or 403 is all the same.

By requiring the user to have REST access, unauthorized users can't probe
valid ORIGIN headers.

It does have an upgrading.txt info notice as well as a CHANGES.txt entry.