Fix up CORS

Previously had been checking Origin AND Host header, but we should not
check Host header... Removed Host check and only check if Origin header
is set, because otherwise CORS doesn't apply (could be a same-origin
request).

php/add.php

@@ -3,21 +3,24 @@ if(!isset($_POST['domain'], $_POST['list'], $_POST['token']))
     die("Missing POST variables");
 
 // Check CORS
-if($_SERVER['HTTP_ORIGIN'] == "http://pi.hole" || $_SERVER['HTTP_ORIGIN'] == "http://${_SERVER['SERVER_ADDR']}")
-    header("Access-Control-Allow-Origin: ${_SERVER['HTTP_ORIGIN']}");
-else if($_SERVER['HTTP_HOST'] == $_SERVER['SERVER_ADDR'] || $_SERVER['HTTP_HOST'] == "pi.hole")
-    header("Access-Control-Allow-Origin: ${_SERVER['HTTP_HOST']}");
-else
-    die("Failed CORS");
-
-session_start();
+if(isset($_SERVER['HTTP_ORIGIN'])) {
+    if ($_SERVER['HTTP_ORIGIN'] == "http://pi.hole" ||
+        $_SERVER['HTTP_ORIGIN'] == "http://${_SERVER['SERVER_ADDR']}" ||
+        $_SERVER['HTTP_ORIGIN'] == "http://localhost"
+    )
+        header("Access-Control-Allow-Origin: ${_SERVER['HTTP_ORIGIN']}");
+    else
+        die("Failed CORS");
+}
+// Otherwise probably same origin... out of the scope of CORS
 
 // Check CSRF token
+session_start();
 if(!hash_equals($_SESSION['token'], $_POST['token']))
     die("Wrong token");
 
 switch($_POST['list']) {
-    case "white":        
+    case "white":
         echo exec("sudo pihole -w -q ${_POST['domain']}");
         break;
     case "black":