Minor README.md documentation issue/clarification.

[mortizbey]

Hi, there's a section in the Readme that says:

Note that you can always send back '' instead of echoing the 'Origin' header by including:

cors.headers = ['Access-Control-Allow-Origin': '*']

This can be combined with cors.allow.origin.regex to limit allowed domains.

That last sentence is kind of confusing since I don't know, from the context, what are you referring to by "combining with allow origin regex to limit allowed domains". Wouldn't setting the cors.allow.origin.regex property be enough since it would cancel out the * in the Access-Control-Allow-Origin?

Can you clarify this a little? Then I can fork the documentation and fix that part if you want to.

Thanks!

[mortizbey]

Any answer to this? It has been a year now.

[davidtinker]

If cors.allow.origin.regex is set then CORS headers are only sent back for origins that match the regex. So using a star for the Access-Control-Allow-Origin is ok because you aren't relying on the browser to check for valid domains.