As far as I can tell, there is no current documentation that mentions use of anything other than the APP_BASE_URL environment variable. Even though the code does use USER_CONTENT_BASE_URL and API_BASE_URL. Maybe the easy/safe fix is to specify that the origin is valid if none of the other base url environment variables are specified? That way this code will continue to function as designed when different domains are used.