I want to start locking down things. There is a field Origin in the CORS middleware of Sparkle. How can I add more than one origin.
There is no such option in CORS middleware itself (only one origin is allowed for now). But you can easily accomplish it using a generic middleware:
procedure TForm3.XDataServer1GenericRequest(Sender: TObject;
Context: THttpServerContext; Next: THttpServerProc);
var
Origin: string;
begin
Origin := Context.Request.Uri.Host;
if IsValidOrigin(Origin) then // you should create your own IsValidOrigin
Context.Response.Headers.SetValue('Access-Control-Allow-Origin', Origin)
else
Context.Response.Headers.Remove('Access-Control-Allow-Origin');
Next(Context);
end;