Is it possible to declare multiple origins to allow?

[PanicIsReal]

The option says origin expects a string, is it possible to allow an array of strings so you can allow more than one domain?

[ahauser31]

I might be mistaken, but from what I gathered from the spec is that multiple domains are not supported ( https://www.w3.org/TR/cors/#access-control-allow-credentials-response-header ). To use multiple origins with this middleware, use the feature to pass a function in options.origin that compares the origin of the request (this.get('origin') in Koa 1) with your array and echos back the request origin if it is on your list.