The default CORS configuration poses a security risk.

[ConardLi]

I don't understand why the latest commit sets the default Access-Control-Allow-Origin to *. This makes no difference to setting it as the request Origin, as both will break the browser's same-origin policy restrictions. The safest option is to default to empty, letting users specify the origin value themselves.

f31dac9

[fengmk2]

Setting request origin by default is more risky for browsers, so refer to industry practice such as expressjs to set it to * by default.
Since turning on the cors plugin is a user action, the default value is set instead of the null value, because if you want the null value, you can just introduce the cors plugin.

[panva]

Setting request origin by default is more risky for browsers

Could you please elaborate on this statement?

[julienw]

The subtle difference is with the behaviors around credentials (cookies especially). A request with credentials answered with Access-Control-Allow-Origin: "*" will returns an error in browsers, but with the right Origin credentials are accepted....
provided that Access-Control-Allow-Credentials: true is specified, which wasn't and still isn't the case by default.

(In short: I agree with you that the change didn't change anything)