Only Trigger the middleware on Origin/Host mismatch

[gbuisson]

The current condition for ring-cors to be triggered is only to check the presence of an Origin header on the request.

Some browsers like Chrome always send that header even for same domain origin requests, thus ring-cors is triggered where it shouldn't, leading to unexpected behavior.

I think it would be best to check the presence of Origin as well as a mismatch between Origin and Host instead.

[r0man]

@gbuisson Yes, I think that's a valid strategy. Patch welcome! ;)