I am using laravel 11 with cors middleware default, + vite to build assets this is my config:

<?php

return [

    /*
    |--------------------------------------------------------------------------
    | Cross-Origin Resource Sharing (CORS) Configuration
    |--------------------------------------------------------------------------
    |
    | Here you may configure your settings for cross-origin resource sharing
    | or "CORS". This determines what cross-origin operations may execute
    | in web browsers. You are free to adjust these settings as needed.
    |
    | To learn more: https:// developer.mozilla.org/en-US/docs/Web/HTTP/CORS
    |
    */

    'paths' => ['build/*', 'sanctum/csrf-cookie','auth/steam', 'api/*'],

    'allowed_methods' => ['GET', 'OPTIONS'],

    'allowed_origins' => ['*.'.config('app.domain'), 'www.'.config('app.domain')],

    'allowed_origins_patterns' => [],

    'allowed_headers' => ['*'],

    'exposed_headers' => [],

    'max_age' => 0,

    'supports_credentials' => false,

];

But i still get CORS missing allow origin when call build assets from www. subdomain and I'm on another subdomain

EDIT: The problem is with the js scripts, only they give a strange cors error intersting that the css works

Solution: Laravel work great, the problem was on static files which are only handled by apache, so i modified .htaccess to access CORS by origin and now it's working

<FilesMatch "\.(ttf|otf|eot|woff|woff2|js|css)$">
    <IfModule mod_headers.c>
        SetEnvIf Origin "http(s)?://(.*)?(site\.baa|site\.dee|site\.com)$" AccessControlAllowOrigin=LARACASTS_SNIPPET_PLACEHOLDER
        Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
        Header merge Vary Origin
		Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
		Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept"
    </IfModule>
</FilesMatch>