The documentation implies that this should work, but it doesn’t. header is both a matcher and a directive… it’s a little confusing. Even if it worked I wouldn’t do it this way.
header Origin origin1.com header Access-Control-Allow-Origin origin1.com