According to the CORS spec, Access-Control-Allow-Origin takes a white space separated list of origins (or "null", or "*"). We currently only support a single origin. http://www.w3.org/TR/cors/#access-control-allow-origin-response-hea http://tools.ietf.org/html/draft-abarth-origin-09#section-6.1
I misread the specification. The origin-list describes the set of origins the response should be accessible to. It's not a list of individual origins to allow. Sorry for the noise.