Invalid Access-Control-Allow-Origin example in Workers _headers docs #22002
Description
Existing documentation URL(s)
What changes are you suggesting?
The CORS example in the Workers Static Assets Headers documentation seems to be invalid according to the CORS specification.
Specifically, this example does not work as described:
https://:worker.:subdomain.workers.dev/*
Access-Control-Allow-Origin: https://*-:worker.:subdomain.workers.dev/
According to the WHATWG Fetch specification, Access-Control-Allow-Origin only accepts:
*(all origins)null- An exact origin (protocol + domain + port)
Wildcards within origin values like https://*-my-worker.my-subdomain.workers.dev are not supported.
Example of issue
Using the _headers example described in the documentation, when fetching https://my-worker.my-subdomain.workers.dev/asset.png with an origin https://versionprefix-my-worker.my-subdomain.workers.dev, the CORS request fails due to an mismatching Access-Control-Allow-Origin:
Request headers:
OPTIONS /asset.png HTTP/3
Host: my-worker.my-subdomain.workers.dev
Access-Control-Request-Method: GET
Origin: https://versionprefix-my-worker.my-subdomain.workers.dev
Response headers:
HTTP/3 200 OK
Access-Control-Allow-Origin: https://*-my-worker.my-subdomain.workers.dev/
This causes CORS failure as the browser rejects this invalid Access-Control-Allow-Origin header value.
Suggested action
Remove this invalid example from the documentation since it cannot work as described. Alternatively, give an updated example if there is some other workaround.
Additional information
No response