WMTS endpoints returning multiple CORS headers

Not sure if this is some old convention, but returning multiple Access-Control-Allow-Origin headers is now considered non-standard behavior by Chrome/Firefox etc