Andrew Bolyachevets

I think the reason the list is empty is because cors policy needs to be updated to include *.run.app urls from gcp, probably here https://github.com/bcgov/sbc-auth/blob/3c78b5029091c96c16fbd16d383508f899945906/auth-web/firebase.json#L23 that's where safe_list api is...