When you define a CORS rule, the value you enter in the Domain field must meet certain
requirements. Each CORS rule supports a single wildcard to match incoming Origin
The value you enter in the Domain
field on the CORS Rule form must
meet the following requirements.
- Begins with HTTP:// or HTTPS://.
- Is a domain pattern or IP address.
- Ends with alphanumeric characters preceeded by a period, such as
- Includes at most a single wildcard character immediately following the scheme and
hierarchical portion of the domain pattern.
You can use a single wildcard character (*) in the domain pattern. Use this wildcare
immediately following the scheme and hierarchical portion of the domain pattern, such as
to include all subdomains. The wildcard must
immediately follow the scheme and hierchical portion of the domain pattern. If you use an IP
address instead of domain pattern, you must enter the full IP address without a
Note: You cannot use multiple wildcards, or specify a wildcard without a domain
pattern. Values such as * or *.* are not supported.
When evaluating the Origin header in a request, ServiceNow prioritizes CORS rules that
match the domain pattern exactly. If no exact match is found, the next closest match is
For example, if there are rules for the domain patterns
http://*.mysite.com, a request from
http://alice.blog.mysite.com will match the
Examples of valid and invalid domains
Table 1. Examples