Not sure if this is some old convention, but returning multiple Access-Control-Allow-Origin headers is now considered non-standard behavior by Chrome/Firefox etc
This is caused by CSP (Content Security Policy). We have allowed CORS by default for WMTS service. Your app might be sending another CORS header. Make sure that your localhost complies with the Chrome/Firefox recommendation.
Please refer to the screenshot. The server is sending multiple Access-control-allow-origin headers in the response to a single request. One of them should be removed to comply with Firefox recommendation.
This has been resolved.