Is there an existing issue for this?

• I have searched the existing issues

What version of workers-rs are you using?

0.1.0

What version of wrangler are you using?

3.34.2

Describe the bug

When setting multiple origins to the CORS configuration:

let cors = Cors::new().with_origins(["https://example.com", "https://lwn.net"]);
response.with_cors(&cors)?;

And then sending a pre-flight request with Origin set as https://example.com, the response header is set like this:

Access-Control-Allow-Origin: "https://example.com,https://lwn.net"

This will lead to a CORS error, because the header must be a single origin, not multiple. How tower-http does this is defined here:

https://github.com/tower-rs/tower-http/blob/main/tower-http/src/cors/allow_origin.rs#L124

If the origin value is a list of urls, it uses the header value from the request, finds the origin from the list and sets the header to be exactly one URL matching the request origin. If the origin is not defined in the list, the header should be omitted.

Steps To Reproduce

1. Send a pre-flight request with Origin: https://example.com
2. Respond from a worker with CORS origins set to ["https://example.com", "https://lwn.net"]
3. Witness a CORS error in the browser