server: prohibit Cross-Origin Resource Sharing

Flood instances should not be accessible to other sites.

This change prevents malicious sites from using resources of
a Flood instance and hijacking the browser to submit malicious
requests to Flood.

server/middleware/eventStream.js

@@ -6,7 +6,7 @@ module.exports = (req, res, next) => {
     'Content-Type': 'text/event-stream',
     'Cache-Control': 'no-cache',
     Connection: 'keep-alive',
-    'Access-Control-Allow-Origin': '*',
+    'Cross-Origin-Resource-Policy': 'same-origin',
     'X-Accel-Buffering': 'no',
   });
   res.status(200);