update Supabase docs

[bdon]

@thorwebdev I am wondering if this actually works:

const ALLOWED_ORIGINS = ["http://localhost:3000"];
const corsHeaders = {
  "Access-Control-Allow-Origin": ALLOWED_ORIGINS.join(","),
};
...
return new Response("ok", { headers: corsHeaders });

From what I can tell if you specify 2 or more ALLOWED_ORIGINS then it will return a comma-separated list in the ACAO header, which is usually not accepted by browsers? have you tested that case?