this is a cool feature but the actual whitelist has to be held internally, in responding to an OPTIONS request, you can respond with * or concrete domain name. you can't return something like "www.example.com, www.foo.com" .
if you want to whitelist multiple domains you have to resolve this server side and check the requesting domain against your list of accepted domains.
Right - it is a good safety feature. Also worth noting that responding with a wildcard will not allow you to set cookies in the browser when using `withCredentials` in the client and `access-control-allow-credentials` on the server. You've got to return a specific origin (one that is a match in your whitelist)
if you want to whitelist multiple domains you have to resolve this server side and check the requesting domain against your list of accepted domains.
this took me a little while to figure out.