Allowed web origins URLs not working with wildcard

Problem statement

We have an application at https://www.sub1.sub2.example.com and have configured https://*.sub2.example.com in our Allowed Origins list, but we are still seeing CORS errors.

We believe this Wildcard URL meets the validation rules as documented. We are wondering why this wildcard Allowed Origin URL appear to not be working.

Cause

The URL https://*.sub2.example.com meets the validation rules, but as documented it won’t actually work for certain scenarios, in particular, it won’t work for:

A URL with a valid wildcard will not match a URL more than one subdomain level in place of the wildcard. https://*.example.com will not work with https://sub1.sub2.example.com.

This is because the ‘www’ prefix is included as the first subdomain. The wildcard can’t match more than one subdomain and in this case they are attempting to match TWO subdomain levels (www.sub1 ).

Solution

If it is possible to remove the 'www' prefix from the URL and run the application from https://sub1.sub2.example.com, that should work with the wildcard https://*.sub2.example.com.