CORS is very request dependent. I found it a little complex. And is why I specifically asked how you are testing. If you are using chrome you may not actually be seeing the preflight requests, I use firefox.
Yes you should be using the full scheme://host.domain
format in the accesscontrolalloworiginlist.
To get the requests I needed for testing I ran without cors headers and found a pre-flight request (OPTIONS request). I copied as cURL and used that for my testing.
I would observe the access-control-allow-origin
header. I would then change the origin header in the request to a domain not in the CORS list and observe the access-control-allow-origin was not present.
The anatomy of the pre-flight request will have components that look like:
curl 'https://secondsite.example.com' -X OPTIONS -H 'Access-Control-Request-Method: POST' -H 'Origin: https://firstsite.example.com' -i
HTTP/2 200
access-control-allow-credentials: true
access-control-allow-headers: Authorization,Origin,Content-Type,Accept
access-control-allow-methods: GET,POST,HEAD,PUT,DELETE,PATCH,OPTIONS
access-control-allow-origin: https://firstsite.example.com
access-control-max-age: 0
content-length: 0
date: Fri, 10 Jul 2020 12:58:05 GMT