distinguish between explicit and implicit *

[cainlevy]

Fixes #117 by distinguishing between an explicit and implicit AllowedOrigins([]string{"*"}). This means that the origin will be reflected when a custom validator says it's okay and there is no contradictory AllowedOrigins(...) configuration.

If there is no custom validator, or the validator is paired with an explicit * (oops), then the allowed origin is a properly opaque * that will disable credentials.

Scrutiny and ideas for alternate implementations are welcome! 😓

[elithrar]

Thanks @cainlevy; will review this weekend.

@ejcx: any qualms?

[cainlevy]

Anything I can do to move this forward?

[ejcx]

Whoops. looks like I was the blocker here. Looks like this makes ACAO * always turned on, which is safe? I don't really know why you would want that but I don't see any issues with it.

[cainlevy]

My intent here is that ACAO * is returned when:

• CORS is running with all defaults (no custom validator, no specified origins)
• CORS has been configured with an explicit *

Otherwise, the current origin is reflected on the assumption that it has been previously validated by either a custom validator or a matching origin.

[ejcx]

SGTM!

[kisielk]

@elithrar what's the word on this one?

[elithrar]

Sorry for the long delay here! Merged.