Portal B20 + config ref: correct PORTAL_CORS_ALLOWED_ORIGINS default

OEL confirmed: rs/cors v1.11.1 treats an empty AllowedOrigins slice as
allow-all (sets allowedOriginsAll=true). When PORTAL_CORS_ALLOWED_ORIGINS
is unset the Portal allows all origins — not "no origins" as previously
stated. Update both B20 and configuration.mdx to reflect actual behavior.

Author: sharadregoti

portal/how-to-guides/configure-cors.mdx

@@ -48,7 +48,7 @@ Portal application CORS controls which external origins may call the Portal's ow
 
    Set [PORTAL_CORS_ALLOWED_ORIGINS](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-allowed-origins) to the origins permitted to make cross-origin requests to the Portal. Use the exact scheme and host of each origin, separated by commas. Wildcards are supported.
 
-   {/* TODO: Verify the default behavior when PORTAL_CORS_ALLOWED_ORIGINS is unset. Code analysis (rs/cors library) indicates an empty slice allows all origins. The configuration reference states no origins are allowed by default. Confirm with the Portal team before documenting a specific default. */}
+   When unset, all origins are allowed by default. Specify origins explicitly to restrict access.
 
    <Tabs>
      <Tab title="Environment variable">

product-stack/tyk-enterprise-developer-portal/deploy/configuration.mdx

@@ -522,7 +522,7 @@ In other words, any cross-origin request will be denied. When enabled, the below
 **Config file:** CORS.AllowedOrigins <br/>
 **Type:** `[string]` <br/>
 **Description**: A list of origin domains to allow access from. Wildcards are also supported, e.g. [`*.foo.com`] will allow access from any domain that ends with *.foo.com*.
-By default, no origins are allowed. To apply this setting, an array of the allowed origins.
+When unset, all origins are allowed by default. Specify origins explicitly to restrict access.
 
 To configure using a configuration file:
 ```json