cachet-docker/app/filters/AllowedDomainsFilter.php

<?php

class AllowedDomainsFilter
{
    public function filter($route, $request, $response)
    {
        // Always allow our own domain.
        $ourDomain = Setting::get('app_domain');
        $response->headers->set('Access-Control-Allow-Origin', $ourDomain);

        // Should we allow anyone else?
        if ($setting = Setting::get('allowed_domains')) {
            $domains = explode(',', $setting);
            foreach ($domains as $domain) {
                $response->headers->set('Access-Control-Allow-Origin', $domain);
            }
        }

        return $response;
    }
}