Remove hardcoded CORS headers

[tadovas]

This is not a bug, but more like an enhancement.
Current CORS headers returned by http handler enforce "allow all" and there is no easy way to change that (except for writing a custom middleware which will wrap response with our custom one, which will discard those headers).
IMHO CORS is not part of SSE response and should be handled elsewhere - i.e. in middlewares.
This is probably a breaking change, as some clients might already expect those headers to be sent.

[tadovas]

I am not sure if its worth to be covered with tests

[purehyperbole]

Thanks for raising the issue.

I think you're right that this should be moved out, however ideally without breaking things for other users who might be relying on that header.

I will have a think and see if there's a nice way to achieve this.

[tadovas]

A few suggestions came into my mind if you are interested:

1. Make a 2.x.x release which semantically mean a breaking change release
2. Make a normal 1.x.x release and add mention that there is a breaking change
3. Make a flag which by default keep old behaviour, but can be used to disable CORS sending. Might be removed in the future

[purehyperbole]

Sorry for leaving this so long! Custom headers are now supported by the server.

It should be possible to remove the header by:

s := sse.New()
delete(s.Headers, "Access-Control-Allow-Origin")

or by

s := sse.New()
s.Headers = nil

This should preserve backwards compatibility for users who are relying on that header being present.