More tests, misc fixes

src/Http/Middleware/ResponseMiddleware.php

@@ -75,11 +75,14 @@ class ResponseMiddleware
                     'method' => $request->getMethod(), 
                     'path' => $request->getUri()->getPath(), 
                 ]);
+
                 return $response
                     // ->withAddedHeader('Link', '<https://'.$host.'/.well-known/mercure>; rel="mercure"')
                     // ->withAddedHeader('Link', '<wss://'.$host.'/.well-known/mercure>; rel="mercure+ws"')
-                    ->withHeader('Access-Control-Allow-Origin', '*')
-                    ->withHeader('Content-Security-Policy', "default-src * 'self' http: 'unsafe-eval' 'unsafe-inline'; connect-src * 'self'")
+                    ->withHeader('Access-Control-Allow-Origin', 
+                        $this->config->get('server.cors.allow_origin', '*'))
+                    ->withHeader('Content-Security-Policy', 
+                        $this->config->get('server.cors.csp', "default-src * 'self' http: 'unsafe-eval' 'unsafe-inline'; connect-src * 'self'"))
                     ->withHeader('Cache-Control', 'must-revalidate')
                     ->withHeader('Server', 'Mercureact/0.1.0');
             }