charts/nginz: fix fail-open behaviour in CORS configuration.

The previous commits adding CORS configuration set the access control header
to unconditionally return the Origin header sent with the request. This would
cause fail-open behaviour, where any Origin sent by a client would be allowed.

Instead, the $cors_header variable is used, as this is specifically set based
on the request Origin header so that only origins which are explicitly in the
Helm chart's allow list configuration may make cross-origin requests to nginz
API endpoints.

Author: sysvinit

charts/nginz/templates/conf/_nginx.conf.tpl

@@ -295,7 +295,7 @@ http {
         more_set_headers 'Access-Control-Allow-Credentials: true';
             {{ end -}}
 
-        more_set_headers 'Access-Control-Allow-Origin: $http_origin';
+        more_set_headers 'Access-Control-Allow-Origin: $cors_header';
 
         more_set_headers 'Access-Control-Expose-Headers: Request-Id, Location';
         more_set_headers 'Request-Id: $request_id';