Looking at how the filter works, it looks like we either find * which allows all origins, or - we look for exact matches in the configuration based upon the Origin HTTP header.

So you can't allow all subdomains in FusionAuth at this time.

Yes, just confirmed the fact that this is a Safari only issue. Only Safari seems to be doing this, we don’t return a 403 so this must a CORS failure. Perhaps Apple is sending additional headers on the request when using Safari that need to be accounted for in the Allowed headers.

I added GET to the allowed methods for CORS and it works that seems to allow it to work in Safari. Please test and let me know.

The redirect workflow looks to be different in Safari when using native controls vs Chrome or other browsers.