mPulse CORS and Resource Timing
The Resource Timing API
Timing-Allow-Origin = "Timing-Allow-Origin" ":" origin-list-or-null | "*"
If you have third-party tags/elements on your pages, you will need to have those service providers add this header to their elements responses in order to get component-level details in the mPulse waterfalls for those page assets as well.
That being said, if you want to use a more restricted Timing-Allow-Origin, you can have your site respond with the same value of the Origin HTTP request header. The Origin HTTP request header is added to any request for third-party domains. So if a browser requests content from a server with:
You can include this HTTP header:
If however, someone requests content from:
You can skip responding with the Timing-Allow-Origin header.