Fix suggest on staging in Firefox (#2277)

Fix #2245

lib/suggest.js

@@ -107,16 +107,31 @@ function setRoutes(allowedOrigin, githubApiProvider, server) {
   server.ajax.on('suggest/v1', (data, end, ask) => {
     // The typical dev and production setups are cross-origin. However, in
     // Heroku deploys and some self-hosted deploys these requests may come from
-    // the same host.
+    // the same host. Chrome does not send an Origin header on same-origin
+    // requests, but Firefox does.
+    //
+    // It would be better to solve this problem using some well-tested
+    // middleware.
     const origin = ask.req.headers.origin
     if (origin) {
-      if (allowedOrigin.includes(origin)) {
-        ask.res.setHeader('Access-Control-Allow-Origin', origin)
-      } else {
+      let host
+      try {
+        host = new URL(origin).hostname
+      } catch (e) {
         ask.res.setHeader('Access-Control-Allow-Origin', 'null')
         end({ err: 'Disallowed' })
         return
       }
+
+      if (host !== ask.req.headers.host) {
+        if (allowedOrigin.includes(origin)) {
+          ask.res.setHeader('Access-Control-Allow-Origin', origin)
+        } else {
+          ask.res.setHeader('Access-Control-Allow-Origin', 'null')
+          end({ err: 'Disallowed' })
+          return
+        }
+      }
     }
 
     let url