Access-Control-Allow-Origin set to '*' even when 'Origin' is supplied

[75lb]

The recent breaking change to fix this advisory fixes the scenario where an origin is not specified but it breaks the scenario where it is.

If an Origin is supplied in the request, the spec states the server "must return the origin for the specific client making the request" (i.e. the origin passed in). All my apps and test suites are configured to expect this behaviour, however this library now returns * instead.

Could you confirm that was the intended behaviour, to ignore the incoming request origin in all scenarios?