Fixes "origin reflected" check

Previously there was a missing call to `headers = requester(url, scheme,
header_dict, origin)` in the "origin reflected" check. This meant that
the code was not using the intended origin (`origin = root + '://' +
'example.com'`). Intead, the check incorreclty used the headers from the
first request (with `origin = scheme + '://' + root`). This commit fixes
this problem by making the missing request.

core/tests.py

@@ -25,16 +25,18 @@ def passive_tests(url, headers):
 def active_tests(url, root, scheme, header_dict, delay):
     origin = scheme + '://' + root
     headers = requester(url, scheme, header_dict, origin)
-    if headers:
+    acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None)
+    if acao_header is None:
+        return
+    
     origin = root + '://' + 'example.com'
+    headers = requester(url, scheme, header_dict, origin)
     acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None)
     if acao_header and acao_header == (origin):
         info = details['origin reflected']
         info['acao header'] = acao_header
         info['acac header'] = acac_header
         return {url : info}
-        elif not acao_header:
-            return
     time.sleep(delay)
 
     origin = scheme + '://' + root + '.example.com'