Yeah, I know that. What I meant was that I did not want to set wildcards for the access-control-allow-origin header. If you use hostname reflection like in the linked stackoverflow example, issues arise when the widget is cached browser side by site A and then invoked by site B.
http://stackoverflow.com/questions/298745/how-do-i-send-a-cr...