--- Revision 303931386635
+++ Revision 396437386130
@@ -49,7 +49,9 @@
 
 work flow : 
 
-is the 'origins' section empty in ini ?
+for /db resources, including system dbs, use the db _security object
+for all other resources (e.g. /_uuids), use the ini configuration
+is the 'origins' section empty or non-existant ?
 yes -> is admin party set ? 
   yes -> return "*" , credentials false (with a good caching policy)
   no -> stop
@@ -60,11 +62,6 @@
       is Origin in 'origins[Host]' ?
       yes ->
         set the cors headers based on 'origins[Host]'
-        are we on a db resource ?
-          yes ->
-            repeat 'apply cors steps' with the db _security object instead of the .ini
-          no ->
-            succeed
       no -> fail 
     no ->
       <bikeshed defaults>