v1.4.2

The CORS specification defines "null" as the value for the Access-Control-Allow-Origin header when an origin is rejected. However, it turns out that there are ways for this to be exploited. Thanks to @slipo for bringing this to my attention and providing a patch.