Currently in FME Server 2018.0, the FME Server Application Server follows standard CORS guidelines for Apache Tomcat and only allows * (all) or specific hostnames (http://server.domain.com) to be entered into the Allowed Origins Header for CORS.
This idea has been created to collect feedback and interest for supporting wildcards on the subdomain level – for example, http://*.domain.com.
There are a few resources that indicate this would be possible:
https://stackoverflow.com/questions/14003332/access-control-allow-origin-wildcard-subdomains-ports-and-protocols
https://stackoverflow.com/questions/27147737/cors-filter-allow-all-sub-domains
http://starredmediasoft.com/cors-allow-origin-domain-using-wildcard-operator/