Attempt to determine the domain from the X-Forwarded-Host header value
If domain could not be determined, attempt to determine the domain from the InetAddress.getLocalHost().getCanonicalHostName() value
If domain could not be determined, attempt to determine the domain from the requested host name
If the domain could be determined from any of these sources, then the default whitelist will be based on that domain
If the domain cannot be determined
a. If the requested host name is NOT a variant of localhost, then the whitelist will be restricted to that specific host name
b. Otherwise, the localhost whitelist will be the default