Under current design, if CORS is enable and a default CORS policy is created without input, it by defaults allow all origins and headers from request, allow all exposed headers to be returned in response. It brought security concern of unintentionally expose endpoints.
Change the design to: if not specified, none of the origin or request headers is allowed. none of the response headers is exposed.
Comments: Fixed: https://aspnetwebstack.codeplex.com/SourceControl/changeset/81afb24481aff8cabf26b5cf4eb29f01093c655a
Change the design to: if not specified, none of the origin or request headers is allowed. none of the response headers is exposed.
Comments: Fixed: https://aspnetwebstack.codeplex.com/SourceControl/changeset/81afb24481aff8cabf26b5cf4eb29f01093c655a