When using roundup's rest or xmlrpc api interfaces from an application
not at the same origin as the roundup tracker, CORS and CORS preflight
are used (see issue2551203).

This scenario looks like it requires disabling
csrf_enforce_header_origin in config.ini for html and api requests. To
stop this add an config.ini option:

  allowed_origins_for_api =

that can take a comma separated list of url prefixes (ending with /)
or the character '*',

The origin header when evaluating xmlrpc or rest requests must begin
with:

  tracker.web (base element so scheme:://host/)
  any value on the allowed_origins_for_api

If the allowed_original_for_api is * the origin is allowed.

For preflight requests, the returned value for
Access-Control-Allow-Origin should be the client supplied origin
value.

This test should be extracted to a method on the client class
(check_origin_header(self, api=False)) and called in handle_csrf(self,
xmlrpc=False) replacing the existing origin check code. If handle_csrf
is called with xmlrpc=True, call check_origin_header with
api=True. (Consider replacing the name xmlrpc with api.)

It should also be used in client.py::handle_rest() (with api=True) to
verify the origin header for preflight requests. If the Origin header
check fails for preflight return 401 with no CORS preflight headers.