Make `:origins` a required option to avoid being insecure by default

Currently Corsica is insecure by default. The default value of :origins is "*".

Line 70 in 2aeaeab

a single value. The default value is `"*"`. The origin of a request

This can lead an inexperienced developer to be believe that Corsica is configured correctly, but it is not. For example, a typo such as origin: ["http://foo.com", "http://bar.com"] will work for the happy path. But in reality the site will be insecure. If the user forgets to specify :origins the website will also be insecure.

Security best practice is for software to be secure by default. If Corsica is changed to default :origins to [] then users will quickly notice that they are not getting the expected CORS headers and that their configuration needs to be changed.

UPDATE: Title of PR updated to reflect the new behavior. See discussion below.

@thoughtless heyo, thanks for the report. I definitely see your point. However, I also strive to make Corsica usable by people. Usually, what they do is drop Corsica in and if something doesn't work right away, it might become a user-unfriendly experience. So I am a bit on the fence on this. We can show all examples in the code and documentation as plug Corsica, origins: "*", so that users can copy paste that in when they start with Corsica and it works.

The usability point is fair. But as it is it is quite easy to configure Corsica in an insecure way. Just adding plug Corsica to an app will open it up a number of different attacks.

The ideal is probably to require the :origins option to be set, and give an informative error if it is missing. I haven't done that with my PR, instead I just changed the default to [].

@bakkdoor FYI.

Closed by #34.