remove security risk

sokra · sokra · commit 626a35a4d602 · 2017-04-22T11:34:05.000+02:00
This is a breaking change but will be release on patch level
because it's a security issue.

To fix the breaking change add this to the middleware options:

``` js
{
  headers: {
    "Access-Control-Allow-Origin": "your-host-name"
  }
}
```
diff --git a/middleware.js b/middleware.js
@@ -61,7 +61,6 @@ module.exports = function(compiler, options) {
 			// server content
 			var content = context.fs.readFileSync(filename);
 			content = shared.handleRangeHeaders(content, req, res);
-			res.setHeader("Access-Control-Allow-Origin", "*"); // To support XHR, etc.
 			res.setHeader("Content-Type", mime.lookup(filename) + "; charset=UTF-8");
 			res.setHeader("Content-Length", content.length);
 			if(context.options.headers) {
