From the Hapi docs:
CORS headers are disabled by default. To enable, set cors to true, or to an object with the following options: ...
So either of these should work:
Setting cors to true
server.cors: true
Setting origin to star
server.cors.origin: "*"
You've tried both, so I'm not sure why it wouldn't work. What's the issue you're having? And what header values do you see?