core.modulemanager: Fix global flag on per-host instances of shared modules (fix #1736) This flag is something of a shortcut for `module.host == "*"` and should always be equal to that. Its absence on the proxy object made the property of the global module instance visible, causing problems such as with URL reporting in mod_http

Merge 0.12->trunk

configmanager: Clearer errors when providing unexpected values after VirtualHost (fixes #1735, thanks arawaks)

Merge 0.12->trunk

util.random: Test whether util.crand works before using it (fix #1734) util.crand can be configured at compile time to use the Linux getrandom() system call, available from Linux 3.17, but it is still possible to load it with an older kernel lacking that system call, where attempting to use it throws an ENOSYS error. By testing for this on load we can fall back to /dev/urandom in this case.

Merge 0.12->trunk

mod_http (and dependent modules): Make CORS opt-in by default (fixes #1731) The same-origin policy enforced by browsers is a security measure that should only be turned off when it is safe to do so. It is safe to do so in Prosody's default modules, but people may load third-party modules that are unsafe. Therefore we have flipped the default, so that modules must explicitly opt in to having CORS headers added on their requests.

mod_http: Reintroduce support for disabling or limiting CORS (fixes #1730) This is far better than pre-0.12, because we now have a universal way to configure and enable/disable CORS on a per-module basis.

Merge 0.12->trunk

prosodyctl: check config: Report paths of loaded configuration files (fixed #1729)