--- Revision 346531646132
+++ Revision 666230303566
@@ -53,19 +53,22 @@
 
 work flow : 
 
-is origins list empty in ini
+is the 'origins' section empty in ini ?
 yes -> is admin party set ? 
   yes -> return "*" , credentials false (with a good caching policy)
   no -> stop
-no -> 
-  is host in .ini ? 
-  yes ->
-    is origin in host cors list ?
+no ->
+  run the following steps [apply cors steps]
+    is Host in 'origins' ?
     yes ->
-      set the cors headers based on .ini
-      then are we on a db resource ?
-        yes ->
-          apply the intersection of .ini with db resource
-    no -> stop 
-  no ->
-    <bikeshed defaults>
+      is Origin in 'origins[Host]' ?
+      yes ->
+        set the cors headers based on 'origins[Host]'
+        are we on a db resource ?
+          yes ->
+            repeat 'apply cors steps' with the db _security object instead of the .ini
+          no ->
+            succeed
+      no -> fail 
+    no ->
+      <bikeshed defaults>