docs: Update documentation for changes to cors_domains option

Signed-off-by:  Eric Callahan <arksine.code@gmail.com>

README.md

@@ -18,7 +18,7 @@ to see if any action is necessary on their part.  The date of the most
 recent change is included.
 
 Users:\
-[user_changes.md](/docs/user_changes.md) - March 6th 2021
+[user_changes.md](/docs/user_changes.md) - March 10th 2021
 
 Developers:\
 [api_changes.md](/docs/api_changes.md) - January 31st 2021

docs/configuration.md

@@ -88,7 +88,19 @@ cors_domains:
   http://klipper-printer.local
   http://second-printer.local:7125
 #   Enables CORS for the specified domains.  One may specify * if they wish
-#   to allow all domains.
+#   to allow all domains, however this should be an option reserved for
+#   client developers and not used in production.  A * can also be used
+#   to specify a wildcard that matches several domains.  For example:
+#     *.local
+#     http://*.my-domain.com
+#     *.my-domain.com:*
+#   Are all valid entries.  However, a wildcard may not be specified in
+#   the top level domain:
+#      http://my-printer.*
+#   The above example will be rejected.
+#   When CORS is enabled by adding an entry to this option, all origins
+#   matching the "trusted_clients" option will have CORS headers set as
+#   well.  If this option is not specified then CORS is disabled.
 ```
 
 # Plugin Configuration

docs/user_changes.md

@@ -1,5 +1,13 @@
 This file will track changes that require user intervention,
 such as a configuration change or a reinstallation.
+
+### March 10th 2021
+- The `cors_domain` option in the `[authoriztion]` section is now
+  checked for dangerous entries.  If a domain entry contains a
+  wildcard in the top level domain (ie: `http://www.*`) then it
+  will be rejected, as malicious website can easily reproduce
+  this match.
+
 ### March 6th 2021
 - The `enable_debug_logging` in the `[server]` section now defaults
   to `False`.  This dramatically reduces the amount of logging produced