If you use the wildcard, that means any domain can make a cross domain request to your domain and get the page. For example, say you are logged into your GMail account. Naturally, when you open up a window to http://gmail.com, you will instantly see your emails and messages (there’s some redirection happening, but let’s assume not for the sake of the example and simplicity).

Well if I make a website (be it anything) and I manage to get you on that website, or alternatively, I manage to modify a website that you frequently go on, I could make an AJAX request to GMail, and if GMail had Allow-Origin: * and you were logged in, the AJAX request would return the HTML of the page that is usually shown to you; the list of your emails. At worst I get a list of all your emails and the persons you sent them to, at best I can also manipulate the requests and get a lot more information.

I wouldn’t use a wildcard if I were you; I would use some sort of list of trusted domains.

The Allow Origin is enforced server side. As for cross origin AJAX support, it is supported in most browsers. For older versions of IE, you have to use a different object to make the requests.