diff --git a/src/Network/Response.php b/src/Network/Response.php
index f9ca735b4c9..c02c0746e14 100644
--- a/src/Network/Response.php
+++ b/src/Network/Response.php
@@ -1390,9 +1390,9 @@ protected function _normalizeCorsDomains($domains, $requestIsSSL = false)
 
             $original = $preg = $domain;
             if (strpos($domain, '://') === false) {
-                $preg = ($requestIsSSL ? 'https://' : 'http://') . $domain;
+                $domain = ($requestIsSSL ? 'https://' : 'http://') . $domain;
             }
-            $preg = '@' . str_replace('*', '.*', $domain) . '@';
+            $preg = '@^' . str_replace('\*', '.*', preg_quote($domain, '@')) . '$@';
             $result[] = compact('original', 'preg');
         }
         return $result;
diff --git a/tests/TestCase/Network/ResponseTest.php b/tests/TestCase/Network/ResponseTest.php
index e34ff8ef7ff..f14aa163a5e 100644
--- a/tests/TestCase/Network/ResponseTest.php
+++ b/tests/TestCase/Network/ResponseTest.php
@@ -1113,11 +1113,14 @@ public function corsData()
     {
         $fooRequest = new Request();
 
-        $secureRequest = $this->getMock('Cake\Network\Request', ['is']);
-        $secureRequest->expects($this->any())
-            ->method('is')
-            ->with('ssl')
-            ->will($this->returnValue(true));
+        $secureRequest = function () {
+            $secureRequest = $this->getMock('Cake\Network\Request', ['is']);
+            $secureRequest->expects($this->any())
+                ->method('is')
+                ->with('ssl')
+                ->will($this->returnValue(true));
+            return $secureRequest;
+        };
 
         return [
             [$fooRequest, null, '*', '', '', false, false],
@@ -1129,9 +1132,15 @@ public function corsData()
             [$fooRequest, 'http://www.foo.com', 'https://*.foo.com', '', '', false, false],
             [$fooRequest, 'http://www.foo.com', ['*.bar.com', '*.foo.com'], '', '', 'http://www.foo.com', false],
 
-            [$secureRequest, 'https://www.bar.com', 'www.bar.com', '', '', 'https://www.bar.com', false],
-            [$secureRequest, 'https://www.bar.com', 'http://www.bar.com', '', '', false, false],
-            [$secureRequest, 'https://www.bar.com', '*.bar.com', '', '', 'https://www.bar.com', false],
+            [$fooRequest, 'http://not-foo.com', '*.foo.com', '', '', false, false],
+            [$fooRequest, 'http://bad.academy', '*.acad.my', '', '', false, false],
+            [$fooRequest, 'http://www.foo.com.at.bad.com', '*.foo.com', '', '', false, false],
+            [$fooRequest, 'https://www.foo.com', '*.foo.com', '', '', false, false],
+
+            [$secureRequest(), 'https://www.bar.com', 'www.bar.com', '', '', 'https://www.bar.com', false],
+            [$secureRequest(), 'https://www.bar.com', 'http://www.bar.com', '', '', false, false],
+            [$secureRequest(), 'https://www.bar.com', '*.bar.com', '', '', 'https://www.bar.com', false],
+            [$secureRequest(), 'http://www.bar.com', '*.bar.com', '', '', false, false],
 
             [$fooRequest, 'http://www.foo.com', '*', 'GET', '', '*', 'GET'],
             [$fooRequest, 'http://www.foo.com', '*.foo.com', 'GET', '', 'http://www.foo.com', 'GET'],