Cloudflare Worker example of how you can handle the OPTIONS verb and set some CORS details in the response header

workerOptions.js

addEventListener('fetch', event => {
  event.respondWith(handleRequest(event))
})

/**
 * Entry point of the worker
 */
async function handleRequest(event) {
  // Generate the CORS headers I'll have to return with requests
  const corsHeaders = setCorsHeaders(new Headers())

  try {
    const requestMethod = event.request.method
    const requestUrl = new URL(event.request.url)
    console.log(requestUrl)

    // Always return the same CORS info
    if(requestMethod === 'OPTIONS') {
      return new Response('', { headers:corsHeaders })
    }
    
    // For any other request, simple get it and return it
    const response = await fetch(event.request)
    return response
  }
  catch (err) {
    return new Response(err.stack, { status: 500, headers:corsHeaders })
  }
}

/**
 * Setup the CORS headers to the details
 */
function setCorsHeaders(headers) {
    // Not a good idea to leave it to wildcard; I'm only doing so for initial testing/dev
    headers.set('Access-Control-Allow-Origin', '*') 
    
    // Note the allowed verbs. You can add more
    headers.set('Access-Control-Allow-Methods', 'POST, GET')
    
    // You can manually add additional header values here. I added one for reCAPTCHA
    headers.set('Access-Control-Allow-Headers', 'access-control-allow-headers, g-recaptcha') 
    
    headers.set('Access-Control-Max-Age', 1728000)
    return headers
}

headers.set('Access-Control-Allow-Origin', '*') How can one allow multiple origins all from https://*.contoso.com ?