diff --git a/project/project/settings/common.py b/project/project/settings/common.py
index 5b270fec22d85cafc58592b0fd191605443e9740..e7a0ab5c7963f601e20c650d68dd47661b577517 100644
--- a/project/project/settings/common.py
+++ b/project/project/settings/common.py
@@ -113,12 +113,10 @@ CORS_ORIGIN_REGEX_WHITELIST = (
     # Allow local hosts on any port
     r'^(https?://)?localhost(:\d+)?$',
     r'^(https?://)?127\.0\.0\.1(:\d+)?$',
-    # Allow hosts such as:
-    # - https://oser-cs.herokuapp.com
-    # - https://oser-frontend-dev.herokuapp.com
-    # (but also https://unknown.herokuapp.com...)
-    # Essentially allows any frontend hosted on Heroku to send CORS requests.
-    r'^(https?://)?(.+\.)?herokuapp\.com$'
+    # Allow any app hosted on Heroku
+    r'^(https?://)?(.+\.)?herokuapp\.com$',
+    # Allow any app on *oser-cs.fr
+    r'^(https?://)?(.+\.)?oser-cs\.fr$',
 )
 X_FRAME_OPTIONS = 'DENY'  # refuse to serve in an <iframe>