Matomo has a configuration option to restrict CORS requests to specific domains and that's correctly implemented in the CORSHandler in the case of
GET requests. However, some additional code overrides the CORSHandler in the case of non-
Unless there is a reason for bypassing the CORSHandler, it would be safer to treat all HTTP methods the same.
Note: This is in the tracker context only. I'll also post the same comment in the PR just in case someone reads it.
@fmarier If we removed this then POST tracking requests wouldn't work anymore and always fallback to GET.
This is currently their on purpose and because not really any information can be retrieved from this it shouldn't be any problem.