Should default options allow null origin? #89
Description
When using the default options, as the docs describe, without defining an origin, the response will set Access-Control-Allow-Origin to the request Origin header.
Enable cors with default options:
origin: request Origin header
But if hit with a request that sets Origin: null, then the response will be Access-Control-Allow-Origin: null.
There's a lot of sources that say don't do this...
https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null
I'm not really an expert in this area, but would there be a better default behavior than..
// https://github.com/koajs/cors/blob/master/index.js#L66
origin = options.origin || requestOrigin;... if the requestOrigin were null?