docs: list all supported origins in CORS guidance

timothyaterton · timothyaterton · commit b66042c5811f · 2026-04-24T10:17:02.000Z
Address review comment: since Internet Identity is served under legacy
alias hostnames as well, the CORS guidance should mention all supported
origins, not just id.ai.
diff --git a/docs/ii-spec.mdx b/docs/ii-spec.mdx
@@ -332,7 +332,7 @@ To prevent misuse of this feature, the number of alternative origins _must not_
 :::
 
 :::note
-In order to allow Internet Identity to read the path `/.well-known/ii-alternative-origins`, the CORS response header [`Access-Control-Allow-Origin`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin) must be set and allow the Internet Identity origin `https://id.ai`.
+In order to allow Internet Identity to read the path `/.well-known/ii-alternative-origins`, the CORS response header [`Access-Control-Allow-Origin`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin) must be set and allow the Internet Identity origin being used, for example `https://id.ai`, `https://identity.internetcomputer.org`, or `https://identity.ic0.app`.
 :::
 
 ## The Internet Identity Service Backend interface
