Most APIs that support CORS specify acceptable domains not with a wildcard but by mirroring the caller's origin. I believe that this is mainly a XSS mitigation technique.
This is an important feature because the CORS specification blocks cookie-based authentication when using wildcard domains. This is the only viable method for enabling clients of CouchDB backed APIs to use cookie based authentication.
EDIT: clarified situation, relation to spec and security.