Allow origin is now to the http_origin because origin "*" will fail if
withCredentials is set in the request header