diff --git a/project/project/settings/common.py b/project/project/settings/common.py
index 2f9e59e5e0a4b45bc72215a6afb47cb0164fe942..4a38ebc6d07285843026cbcb1260c3e919dfc181 100644
--- a/project/project/settings/common.py
+++ b/project/project/settings/common.py
@@ -112,12 +112,10 @@ CORS_ORIGIN_REGEX_WHITELIST = (
     # Allow local hosts on any port
     r'^(https?://)?localhost(:\d+)?$',
     r'^(https?://)?127\.0\.0\.1(:\d+)?$',
-    # Allow hosts such as:
-    # - https://oser-cs.herokuapp.com
-    # - https://oser-frontend-dev.herokuapp.com
-    # (but also https://unknown.herokuapp.com...)
-    # Essentially allows any frontend hosted on Heroku to send CORS requests.
-    r'^(https?://)?(.+\.)?herokuapp\.com$'
+    # Allow any app hosted on Heroku
+    r'^(https?://)?(.+\.)?herokuapp\.com$',
+    # Allow any app on *oser-cs.fr
+    r'^(https?://)?(.+\.)?oser-cs\.fr$',
 )
 X_FRAME_OPTIONS = 'DENY'  # refuse to serve in an <iframe>