Edited Issue: [CORS] By default none of the origins, headers or exposed headers should be allowed [939]

Under current design, if CORS is enable and a default CORS policy is created without input, it by defaults allow all origins and headers from request, allow all exposed headers to be returned in response. It brought security concern of unintentionally expose endpoints.

Change the design to: if not specified, none of the origin or request headers is allowed. none of the response headers is exposed.