Should Access-Control-Allow-Origin need to be domain specific ? Infosec has recommended us to use this header :
Access-Control-Allow-Origin:http://domainA.mycompany.com,http//*. mycompany.com But I also own domain : http://domainB.mycompany.com So, if i just use Access-Control-Allow-Origin:http://*.mycompany.com Will this be enough ? or it needs to be domain specific ?
