am using google as login provider but when i set the access control to wildcard like this :

res.header('Access-Control-Allow-Origin', '*');

login via google stop working
But it works properly when i use

res.header('Access-Control-Allow-Origin', 'http://localhost:8100');

which is the JAVASCRIPT ORIGINS and the REDIRECT URIS i specified in the google console.
but now i want to deploy my app up on phone device i need to set it to wild card res.header('Access-Control-Allow-Origin', '*');. since my app on phone not working on localhost:8100 anymore
Other login provider like Facebook working fine in both set ups.
I also would like to ask how could i debug my app when its deployed on phone device.
note its cordova base App.