Allowed web origins URLs not working with wildcard

Problem statement

We have an application at and have configured https://* in our Allowed Origins list, but we are still seeing CORS errors.

We believe this Wildcard URL meets the validation rules as documented. We are wondering why this wildcard Allowed Origin URL appear to not be working.


The URL https://* meets the validation rules, but as documented it won’t actually work for certain scenarios, in particular, it won’t work for:

A URL with a valid wildcard will not match a URL more than one subdomain level in place of the wildcard. https://* will not work with

This is because the ‘www’ prefix is included as the first subdomain. The wildcard can’t match more than one subdomain and in this case they are attempting to match TWO subdomain levels (www.sub1 ).


If it is possible to remove the 'www' prefix from the URL and run the application from, that should work with the wildcard https://*