A site might have an Access-Control-Allow-Origin response header with value (e.g. *.example.com); this is illegal, as the only valid values are either * or a specific origin (e.g. https://www.example.com). Fiddler should test for this mistake in two places:
1. It should be a new LINT test that looks for a value for this header which is not a legal origin.
2. The existing SecurityHeaders computed field in the Miscellaneous values (http://www.telerik.com/blogs/visualizing-security-information-with-fiddler) should warn (using ! ) if the field value is invalid.
If testing for a legal origin proves too hard (e.g. I'd just use a .NET URI object and TryParse the string from it, if that fails and the input isn't literally "*" then the value is illegal), then as an approximation we could test to see whether the field contains any non-prefix/suffix whitespace (if so, invalid) and check that if it contains * then it contains no other characters (if so, invalid)