allowRequest failures now return 403 Forbidden

[darrachequesne]

The kind of change this PR does introduce

• a bug fix
• a new feature
• an update to the documentation
• a code change that improves performance
• other

Current behaviour

When allowRequest option is provided and fails for a request (for example when checking the allowed origins in socket.io), the client receives:

400 Bad Request
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://b.local /* but only a.local is allowed */

New behaviour

The client will now receive a 403 response, without CORS headers.

Other information (e.g. related issues)

Closes #449
Related: #211 & #281

[darrachequesne]

cc @akamensky @jdolega

[Kenzku]

Hej, how I can turn the CORS off to prevent things like this:

POST /socket.io/?EIO=3&transport=polling&t=1481690658797-5&sid=Dp18NNt_bWPkB4rGAAAP HTTP/1.1
Origin: https://evilhost.net

HTTP/1.1 400 Bad Request
Content-Type: application/json
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://evilhost.net
Date: Fri, 03 Feb 2017 12:52:00 GMT
Connection: keep-alive
Transfer-Encoding: chunked

28
{"code":0,"message":"Transport unknown"}
0