I fully agree with you, that's why I've included all the different examples to explain each concept in detail and added the disclaimer: "Below will follow a few examples that you can copy/paste, be mindful how much you want to allow the browser to do though."
Something you can use for the origin is also this:
add_header Access-Control-Allow-Origin $http_origin;
This way it adds the requesting origin to the "whitelisted" domains. But yes, as you said, it's best to restrict these and not leave them wide open.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.