CORS documentation and validation are not consistent

[howardjohn]

The docs say you can have *.com and *, and the example on https://gateway-api.sigs.k8s.io/geps/gep-1767/?h=cors shows the same. The validation only allows a fully qualified name.

I think the fix is to loosen the validation

[howardjohn]

Also its not 100% clear in the spec but I think you can only have 1 * and it must be the first element if so?

[youngnick]

In #3667, we discussed that we will loosen this, but since it needs some research, it's better to launch with a tighter validation and loosen later. So we're removing this from the v1.3.0 milestone.

[howardjohn]

One thing ambiguous in the current spec is if a the following are valid:

• foo*bar.com
• *.foo.*.com
• foo.*.com
  I assume no and you can only have exactly 1 wildcard as the prefix but we should codify this and validate it