I mentioned this in #5185 already, I don't think it makes much sense to only allow a single value for CORS-allowed domains. For example, if you'd want to allow people to use the official photon deployment at https://phtn.app/ and also the official voyager deployment at https://vger.app/ but no other domains you'll need to allow both of them. The current implementation does not allow for that.
Originally posted by @Nothing4You in https://github.com/LemmyNet/lemmy/issues/5194#issuecomment-2471508061