Why, when the CORS policy plugin is used, do I get multiple Access-Control-Allow-Origin headers in the response. From curl:

Access-Control-Allow-Origin: http://blah.com

Access-Control-Allow-Origin: Jetty(9.2.19.v20160908)

Chrome does not like the multiple headers, so the API request fails.