There can only be one Access-Control-Allow-Origin response header, and that header can only have one origin value. Therefore, in order to get this to work, you need to have some code that:
Grabs the Origin request header.
Checks if the origin value is one of the whitelisted values.
If it is valid, sets the Access-Control-Allow-Origin header with that value.
I don't think there's any way to do this solely through the web.config.
From stack overflow: http://stackoverflow.com/questions/17323350/access-control-allow-origin-with-multiple-domains
There can only be one Access-Control-Allow-Origin response header, and that header can only have one origin value. Therefore, in order to get this to work, you need to have some code that:
Grabs the Origin request header. Checks if the origin value is one of the whitelisted values. If it is valid, sets the Access-Control-Allow-Origin header with that value. I don't think there's any way to do this solely through the web.config.