security hardening

app/routes/api.public.girocode[.png].tsx

@@ -89,7 +89,12 @@ export const loader = async ({ request }: LoaderFunctionArgs) => {
     headers: {
       "Content-Type": "image/png",
       "Cache-Control": "private, max-age=300",
-      "Access-Control-Allow-Origin": "*",
+      // No CORS header: the PNG is rendered via an <s-image> tag in the
+      // checkout/customer-account extensions (see extensions/*/src/*.tsx),
+      // i.e. a plain image load, which is not subject to CORS. Dropping the
+      // previous `Access-Control-Allow-Origin: *` removes the ability for any
+      // origin to fetch() these bytes cross-origin while keeping the
+      // legitimate <img>-style loads working.
     },
   });
 };