From c3877da61c401696951206d57b89324be9ae0771 Mon Sep 17 00:00:00 2001 From: "opencode-agent[bot]" Date: Fri, 6 Feb 2026 11:26:09 +0000 Subject: [PATCH] Fixed invalid CORS wildcard example Co-authored-by: elithrar --- src/content/partials/workers/custom_headers.mdx | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/src/content/partials/workers/custom_headers.mdx b/src/content/partials/workers/custom_headers.mdx index 0debfc0c5cf882e..b141e5868dc94b2 100644 --- a/src/content/partials/workers/custom_headers.mdx +++ b/src/content/partials/workers/custom_headers.mdx @@ -102,16 +102,20 @@ To enable other domains to fetch every static asset from your {props.product === Access-Control-Allow-Origin: * ``` -This applies the `Access-Control-Allow-Origin` header to any incoming URL. To be more restrictive, you can define a URL pattern that applies to a {props.product === 'workers' ? '\*.\*.workers.dev' : '\*.pages.dev'} subdomain, which then only allows access from its {props.product === 'workers' ? preview URLs : <>staging branch's subdomain}: +{props.product === "workers" ? ( +<> +This applies the `Access-Control-Allow-Origin` header to any incoming URL. Note that the CORS specification only allows `*`, `null`, or an exact origin as valid `Access-Control-Allow-Origin` values — wildcard patterns within origins are not supported. To allow CORS from specific preview URLs, you will need to handle this dynamically in your Worker code rather than through the `_headers` file. + +) : ( +<> +This applies the `Access-Control-Allow-Origin` header to any incoming URL. To be more restrictive, you can define a URL pattern that applies to a {'\*.pages.dev'} subdomain, which then only allows access from its staging branch's subdomain: + +)} ##### Prevent your workers.dev URLs showing in search results