Invalid Access-Control-Allow-Origin example in Workers _headers docs

[viliket]

Existing documentation URL(s)

• https://developers.cloudflare.com/workers/static-assets/headers/#cross-origin-resource-sharing-cors

What changes are you suggesting?

The CORS example in the Workers Static Assets Headers documentation seems to be invalid according to the CORS specification.

Specifically, this example does not work as described:

https://:worker.:subdomain.workers.dev/*
  Access-Control-Allow-Origin: https://*-:worker.:subdomain.workers.dev/

According to the WHATWG Fetch specification, Access-Control-Allow-Origin only accepts:

• * (all origins)
• null
• An exact origin (protocol + domain + port)

Wildcards within origin values like https://*-my-worker.my-subdomain.workers.dev are not supported.

Example of issue

Using the _headers example described in the documentation, when fetching https://my-worker.my-subdomain.workers.dev/asset.png with an origin https://versionprefix-my-worker.my-subdomain.workers.dev, the CORS request fails due to an mismatching Access-Control-Allow-Origin:

Request headers:

OPTIONS /asset.png HTTP/3
Host: my-worker.my-subdomain.workers.dev
Access-Control-Request-Method: GET
Origin: https://versionprefix-my-worker.my-subdomain.workers.dev

Response headers:

HTTP/3 200 OK
Access-Control-Allow-Origin: https://*-my-worker.my-subdomain.workers.dev/

This causes CORS failure as the browser rejects this invalid Access-Control-Allow-Origin header value.

Suggested action

Remove this invalid example from the documentation since it cannot work as described. Alternatively, give an updated example if there is some other workaround.

Additional information

No response