Question about configuring CORS using Corsica

I am trying to configure my app to reject connections from any website except for a very short whitelist.

As a first pass, I have simply put “” as the only website in the whitelist and I expect the app to reject everything.

Why is it not working?

Earlier I had the plug Corsica line down below the plug Plug.Head line, but got the same behavior.

In fact, commenting out the plug Corsica line does not seem to change any behavior.

Here is my endpoint.ex file

defmodule MyAppWeb.Endpoint do
  use Phoenix.Endpoint, otp_app: :my_app

  socket "/socket", MyAppWeb.UserSocket

  plug Corsica, log: [rejected: :debug, accepted: :debug, invalid: :debug], origins: [""]

  # Serve at "/" the static files from "priv/static" directory.
  # You should set gzip to true if you are running phoenix.digest
  # when deploying your static files in production.
  plug Plug.Static,
    at: "/", from: :my_app, gzip: false,
    only: ~w(css fonts images js favicon.ico robots.txt)

  # Code reloading can be explicitly enabled under the
  # :code_reloader configuration of your endpoint.
  if code_reloading? do
    socket "/phoenix/live_reload/socket", Phoenix.LiveReloader.Socket
    plug Phoenix.LiveReloader
    plug Phoenix.CodeReloader

  plug Plug.RequestId
  plug Plug.Logger

  plug Plug.Parsers,
    parsers: [:urlencoded, :multipart, :json],
    pass: ["*/*"],
    json_decoder: Poison

  plug Plug.MethodOverride
  plug Plug.Head

  # The session will be stored in the cookie and signed,
  # this means its contents can be read but not tampered with.
  # Set :encryption_salt if you would also like to encrypt it.
  plug Plug.Session,
    store: :cookie,
    key: "_my_app_key",
    signing_salt: "fLsXNS/g"

  plug MyAppWeb.Router

  @doc """
  Callback invoked for dynamically configuring the endpoint.

  It receives the endpoint configuration and checks if
  configuration should be loaded from the system environment.
  def init(_key, config) do
    if config[:load_from_system_env] do
      port = System.get_env("PORT") || raise "expected the PORT environment variable to be set"
      {:ok, Keyword.put(config, :http, [:inet6, port: port])}
      {:ok, config}

I think the issue is that CORS does not apply to websockets.