Use cors defaults when cors: true is set in bedrock config.

Author: dlongley

CHANGELOG.md

@@ -1,5 +1,14 @@
 # bedrock-express ChangeLog
 
+## 8.5.2 - 2025-12-dd
+
+### Fixed
+- Use `cors()` defaults when cors options are specified as `true` in the
+  bedrock configuration instead of as an object with granular options. It is
+  important that the defaults are used in this case and not just the "origin"
+  reflection mechanism both for security reasons and because some newer
+  browsers do not send an `origin` header in some circumstances.
+
 ## 8.5.1 - 2025-10-31
 
 ### Fixed

lib/index.js

@@ -218,8 +218,10 @@ bedrock.events.on('bedrock.start', async () => {
       let corsHandler = null;
       if('cors' in cfg) {
         if(typeof cfg.cors === 'boolean') {
-          // if boolean format and pass through
-          corsHandler = cors({origin: cfg.cors});
+          // if boolean format use defaults; using "*" is more secure than
+          // reflecting an origin (see CORS rules) and is what is expected; to
+          // reflect "origin" back, use an object with "{origin: true, ...}"
+          corsHandler = cors();
         } else {
           // if object, use as cors config
           corsHandler = cors(cfg.cors);