Yeah, I know that. What I meant was that I did not want to set wildcards for the access-control-allow-origin header. If you use hostname reflection like in the linked stackoverflow example, issues arise when the widget is cached browser side by site A and then invoked by site B.