I am trying to restrict a cross origin call Apex using the new r friendly URL syntax and can't seem to find an option to do it.
With the Apex f URL syntax you have to specifically allow a cross origin call in ORDS using the ORD configuration security.externalSessionTrustedOrigin setting [Migrating from mod_plsql to ORDS]
With the r friendly URL syntax it appears to allow a cross origin call out of the box, this is similar to other ORDS modules
If I create my own ORDS module, then I can use ORDS.SET_MODULE_ORIGINS_ALLOWED to restrict the allowed origins. I can't find any documentation to say if this can be set for the r friendly URL syntax (what is the module) [Oracle REST Data Services PL/SQL Package Reference]
The allowed hosts setting at the instance or workplace level looked like it may help, but testing has shown this does not impact a cross origin (xhr) call.
Is there a setting I am missing somewhere?