diff --git a/api/src/extensions/channels/web/base-web-channel.ts b/api/src/extensions/channels/web/base-web-channel.ts
index 389ec00d..0797d3c6 100644
--- a/api/src/extensions/channels/web/base-web-channel.ts
+++ b/api/src/extensions/channels/web/base-web-channel.ts
@@ -317,10 +317,10 @@ export default abstract class BaseWebChannelHandler<
         .some((origin: string) => {
           // If we find a whitelisted origin, send the Access-Control-Allow-Origin header
           // to greenlight the request.
-          return origin === req.headers.origin || origin === '*';
+          return origin === req.headers.origin;
         });
 
-      if (!foundOrigin) {
+      if (!foundOrigin && !origins.includes('*')) {
         // For HTTP requests, set the Access-Control-Allow-Origin header to '', which the browser will
         // interpret as, 'no way Jose.'
         res.set('Access-Control-Allow-Origin', '');