What should be the expected behaviour of cors policy if my api returns an access-control-allow-origin header with a single domain specified inside the response, but the orig
