fix(cors)!: doesn't return access-control-allow-origin header when origin is disallowed

fix(cors)!: doesn't return access-control-allow-origin header when origin is disallowed #1462