I don't understand why the latest commit sets the default Access-Control-Allow-Origin to *. This makes no difference to setting it as the request Origin, as both will break the browser's same-origin policy restrictions. The safest option is to default to empty, letting users specify the origin value themselves.

f31dac9

Setting request origin by default is more risky for browsers, so refer to industry practice such as expressjs to set it to * by default.
Since turning on the cors plugin is a user action, the default value is set instead of the null value, because if you want the null value, you can just introduce the cors plugin.

Setting request origin by default is more risky for browsers

Could you please elaborate on this statement?

The subtle difference is with the behaviors around credentials (cookies especially). A request with credentials answered with Access-Control-Allow-Origin: "*" will returns an error in browsers, but with the right Origin credentials are accepted....
provided that Access-Control-Allow-Credentials: true is specified, which wasn't and still isn't the case by default.

(In short: I agree with you that the change didn't change anything)