I also don’t really have much time to dig into that at the moment. And I have not had need for that functionality for some time, so its kinda been neglected. I’d gladly allow someone else interested in taking over that plugin to maintain it going forward.
Actually, I am not convinced that issue is an actual bug. The requests in question don’t seem an accurate reflection of actual cross-origin requests from a browser that the plugin is intended to help with. Namely, they never set the Origin header. Can you please provider more details and specific requests that do not behave as you expect?