The origin URL pattern must include HTTPS (unless you’re using your localhost) and a domain name and can optionally include a port. The wildcard character (*) is supported and must precede a second-level domain name. For example, https://*.example.com adds all subdomains of example.com to the whitelist.
If a browser that supports CORS makes a request from an origin in the Salesforce CORS whitelist, Salesforce returns the origin in the Access-Control-Allow-Origin HTTP header. Salesforce also returns any additional CORS HTTP headers. If the origin isn’t in the whitelist, Salesforce returns HTTP status code 403.
You must still pass an OAuth token with requests that require it.