When AllowAllOrigins is set to false, a request with same origin and host should not be subject to the AllowOrigins-check.