Github user alopresto commented on the issue:
https://github.com/apache/nifi/pull/3024
Verified by sending curl POST commands with a client certificate to upload
a template. With the `Origin` header set to a remote domain, the request is
blocked with the response "Invalid CORS request".
Ran `contrib-check` and all tests pass. +1, merging. ---
