Middleware CORS - how can I add more than one origin

I want to start locking down things. There is a field Origin in the CORS middleware of Sparkle. How can I add more than one origin.

There is no such option in CORS middleware itself (only one origin is allowed for now). But you can easily accomplish it using a generic middleware:

procedure TForm3.XDataServer1GenericRequest(Sender: TObject;
  Context: THttpServerContext; Next: THttpServerProc);
var
  Origin: string;
begin
  Origin := Context.Request.Uri.Host;
  if IsValidOrigin(Origin) then // you should create your own IsValidOrigin 
    Context.Response.Headers.SetValue('Access-Control-Allow-Origin', Origin)
  else
    Context.Response.Headers.Remove('Access-Control-Allow-Origin');
  Next(Context);
end;