#1731 CORS enabled by default for all HTTP services
What steps will reproduce the problem?
1. Write a HTTP module
2. Enable it and make a request to it in Prosody 0.12.0
3. Observe CORS headers in response that disable same-origin restrictions
What is the expected output?
Although same-origin restrictions are irrelevant for all HTTP services bundled with Prosody by default, the restrictions are not irrelevant for all possible HTTP services. Disabling same-origin restrictions by default on services that depend on them for security may be dangerous.
CORS should be opt-in for module developers, rather than opt-out.
What version of the product are you using? On what operating system?