As far as I can tell, there is no current documentation that mentions use of anything other than the APP_BASE_URL environment variable. Even though the code does use USER_CONTENT_BASE_URL and API_BASE_URL. Maybe the easy/safe fix is to specify that the origin is valid if none of the other base url environment variables are specified? That way this code will continue to function as designed when different domains are used.
Not a proper fix, but this is the method I used to bypass it in my Docker environment. As with anything that may break or not work or cause damage elsewhere so follow with caution and also double check everything!