I want to set the allow_origin to a sub domain, for example app.example.com where the Plone site is running on example.com. The plone.rest package provides a zcml setting for that, but i don't see any allow_origin headers after adding this setting as described in the docs:
"CORS policies can be bound to specific interfaces of content objects and to specific browser layers. This allows us to define different policies for different content types or to override existing policies. The following example defines a policy for the site root.