Thanks, yes, it turns out no wildcards allowed, but a simple match against the ORIGIN (assuming it exists) takes care of it, e.g. in PHP:
//wild-card match for ORGIN ending in foo.bar
if (preg_match('/.*foo.bar$/', $_SERVER['HTTP_ORIGIN'], $matches))
header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");