The invalid origin failing the same origin test is already logged, but there could be cases where invalid origins can not be logged, so did a minor update to log it and also did the same for the invalid method. These are only 2 cases where 403 is returned.
Preflight requests can also fail indirectly with 200, by not including some of the expected CORS headers for allowed/exposed headers but making a correct LOG message as to whether a given header is invalid is trickier and may be misleading, for this PR I'd like to avoid it