Cors is not working for two different origins

Solution 1:

The Origin header is only set in cross-origin requests. If you call your backend directly, the Javascript value is undefined, and in this case you must not restrict anything. You could, for example, write

if (!origin || whitelist.has(origin)) {
  callback(null, true);
}