fix(server)!: should respect the value of the server.cors option

[chenjiahan]

Summary

The Rsbuild dev server unexpectedly set Access-Control-Allow-Origin to * by default, which caused the server.cors option not to work as expected and introduced security risks.

This PR removes the default Access-Control-Allow-Origin: * and strictly enables CORS according to the value of server.cors.

This may break users who are using Module Federation or proxy tools, so I added compatibility code for Module Federation.

Migration

To enable CORS, set server.cors to true:

export default {
  server: {
    cors: true,
  },
};

Related Links

• fix(rsbuild-plugin): explicitly setting CORS headers module-federation/core#3635
• GHSA-vg6x-rcgg-rjx6

Checklist

• Tests updated (or not required).
• Documentation updated (or not required).

[netlify]

✅ Deploy Preview for rsbuild ready!

Name	Link
🔨 Latest commit	0452ca3
🔍 Latest deploy log	https://app.netlify.com/sites/rsbuild/deploys/67e3ac10eec994000801b748
😎 Deploy Preview	https://deploy-preview-4876--rsbuild.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
Lighthouse	1 paths audited Performance: 76 (🟢 up 1 from production) Accessibility: 97 (no change from production) Best Practices: 100 (no change from production) SEO: 100 (no change from production) PWA: 60 (no change from production) View the detailed breakdown and full score reports

---

To edit notification comments on pull requests, go to your Netlify site configuration.