Hello, I was wondering if it would be possible for you to add the HTTP header "Access-Control-Allow-Origin: *" to responses to the claim page. This would make it so sites with a Cross Origin Embedder Policy of require-corp are able to load the claim page. Thank you!
X-Forwarded-For/X-Real-IP/CF-Connecting-IP/etc should not be used as a source of IPs if CTI is not actually behind a reverse proxy.
(Maybe it should be a config option of some sort, along with a way to configure which IPs such headers can be accepted from)
Example:
Someone seems to have abused this already: