fix: ensure non-* CORS origin header is set if no req headers sent

src/index.ts

@@ -24,7 +24,7 @@ const io = socketIO(server, {
   handlePreflightRequest: function (req, res) {
     var headers = {
       "Access-Control-Allow-Headers": "Content-Type, Authorization",
-      "Access-Control-Allow-Origin": req.header ? req.header.origin : "*",
+      "Access-Control-Allow-Origin": req.header ? req.header.origin : "https://excalidraw.com",
       "Access-Control-Allow-Credentials": true,
     };
     res.writeHead(200, headers);