The following results in a false positive:

server {
    if ($http_origin ~* ((https://[A-Za-z0-9\-]+\.google\.com)|(http://localhost:123))$ ) { set $cors 'true'; }
}

The origin is only the schema+hostname+optional port. Since there's a end anchor, it cannot be anything malicious.