Using wildcards in "allowedOrigins" for server actions is not working

[steam0]

Summary

We are trying to configure allowedOrigins for serverActions. We have been using the following configuration, as suggested by the documentation: Server Actions

Our configuration

const nextConfig = {
  experimental: {
    serverActions: {
      allowedOrigins: [
        'mydomain.com',
        '*.mydomain.com',
      ],
    }
  },
  (...)

Still while using this config, we see that we get the following error:

`x-forwarded-host` header with value `signupv3-qa01.apps.ocpdq02.mydomain.com` does not match `origin` header with value `www.qa01.mydomain.com` from a forwarded Server Actions request. Aborting the action.
Error: Invalid Server Actions request.
    at rP (/opt/app-root/src/node_modules/next/dist/compiled/next-server/app-page.runtime.prod.js:15:7099)
    at r5 (/opt/app-root/src/node_modules/next/dist/compiled/next-server/app-page.runtime.prod.js:18:1145)
    at /opt/app-root/src/node_modules/next/dist/compiled/next-server/app-page.runtime.prod.js:19:726
    at AsyncLocalStorage.run (node:async_hooks:346:14)
    at Object.wrap (/opt/app-root/src/node_modules/next/dist/compiled/next-server/app-page.runtime.prod.js:13:16657)
    at /opt/app-root/src/node_modules/next/dist/compiled/next-server/app-page.runtime.prod.js:19:616
    at AsyncLocalStorage.run (node:async_hooks:346:14)
    at Object.wrap (/opt/app-root/src/node_modules/next/dist/compiled/next-server/app-page.runtime.prod.js:13:15765)
    at r9 (/opt/app-root/src/node_modules/next/dist/compiled/next-server/app-page.runtime.prod.js:19:543)
    at nk.render (/opt/app-root/src/node_modules/next/dist/compiled/next-server/app-page.runtime.prod.js:19:4540)

This yields two questions:

1. Are wildcards not supported, and the documentation with examples are wrong?
2. If wildcards are supported, what are we doing wrong here?

Additional information

Using next 14.2.3

Example

No response

[robclouth]

Did you manage to resolve this? I have the same issue

[steam0]

No, we had to hardcode dev, stage and prod environments in here. It really sucks that we cannot use wildcards.

[buildingwatsize]

Err... Maybe late, but I figured out that you need to fixed like these.

const nextConfig = {
  experimental: {
    serverActions: {
      allowedOrigins: [
        'mydomain.com',
        '**.mydomain.com', // <<----- double-wildcard for ignore front part, e.g. x.y.z.mydomain.com which "x.y.z." would be ignore.
      ],
    }
  },
  (...)

This could be work! happy coding.