Allow not returning any access control headers if the Origin is not allowed to access the resource

[mjarosie]

Describe the feature

At the moment the library does not allow handling the scenario in which the origin is not allowed to access the resource: it expects options. origin to always return a string. That leads to developers having to come up with a "workaround" configuration (for example here or here) which is not ideal:

• I'd rather not return any allowed domains to the caller if the caller is not allowed to call my API in the first place as it might undisclose details unnecessarily.
• Returning false/undefined from origin function causes the middleware to be completely ignored which seems to be a feature of this library as there's a unit test that proves this behaviour.
• Returning a null is not a good practice because of security issues as described in this issue.

If the request Origin is not allowed, the middleware should be able to respond to pre-flight requests immediately with no Access-Control headers being returned at all.

Checklist

• I have searched through GitHub issues for similar issues.
• I have completely read through the README and documentation.

[pilotmoon]

To set no Access-Control headers at all in the response, return an empty string "" from the options.origin function.