Tab Atkins Jr.: > On Sun, Jul 25, 2010 at 5:25 AM, Christoph Päper >> >> Access-Control-Allow-Origin: http://*.wikipedia.org > > This one might work, but: > >> Access-Control-Allow-Origin: http://example.*, http://example.co.* > > This one won't, because it'll match "example.co.evilsite.com".
I included example.co.* to suggest that the asterisk is a placeholder for one level only (also works with IPv4 addresses), but yes, right-side wildcards are probably a worse and less useful idea than left-side ones.