Suppress empty Access-Control-Allow-Origin

We should be able to disable CORS by the configuration,
but "Access-Control-Allow-Origin: (empty)" style is not permitted according to RFC.

src/civetweb.c

@@ -9563,6 +9563,7 @@ handle_static_file_request(struct mg_connection *conn,
 	int n, truncated;
 	char gz_path[PATH_MAX];
 	const char *encoding = "";
+	const char *cors_orig_cfg;
 	const char *cors1, *cors2, *cors3;
 	int is_head_request;
 
@@ -9683,15 +9684,16 @@ handle_static_file_request(struct mg_connection *conn,
 #endif
 
 	/* Standard CORS header */
+	cors_orig_cfg = conn->dom_ctx->config[ACCESS_CONTROL_ALLOW_ORIGIN];
 	hdr = mg_get_header(conn, "Origin");
-	if (hdr) {
+	if (cors_orig_cfg && *cors_orig_cfg && hdr) {
 		/* Cross-origin resource sharing (CORS), see
 		 * http://www.html5rocks.com/en/tutorials/cors/,
 		 * http://www.html5rocks.com/static/images/cors_server_flowchart.png
 		 * -
 		 * preflight is not supported for files. */
 		cors1 = "Access-Control-Allow-Origin: ";
-		cors2 = conn->dom_ctx->config[ACCESS_CONTROL_ALLOW_ORIGIN];
+		cors2 = cors_orig_cfg;
 		cors3 = "\r\n";
 	} else {
 		cors1 = cors2 = cors3 = "";
@@ -11822,16 +11824,18 @@ handle_ssi_file_request(struct mg_connection *conn,
 {
 	char date[64];
 	time_t curtime = time(NULL);
+	const char *cors_orig_cfg;
 	const char *cors1, *cors2, *cors3;
 
 	if ((conn == NULL) || (path == NULL) || (filep == NULL)) {
 		return;
 	}
 
-	if (mg_get_header(conn, "Origin")) {
+	cors_orig_cfg = conn->dom_ctx->config[ACCESS_CONTROL_ALLOW_ORIGIN];
+	if (cors_orig_cfg && *cors_orig_cfg && mg_get_header(conn, "Origin")) {
 		/* Cross-origin resource sharing (CORS). */
 		cors1 = "Access-Control-Allow-Origin: ";
-		cors2 = conn->dom_ctx->config[ACCESS_CONTROL_ALLOW_ORIGIN];
+		cors2 = cors_orig_cfg;
 		cors3 = "\r\n";
 	} else {
 		cors1 = cors2 = cors3 = "";