R2: Setting CORS policy with different allowed-origins

I’m having trouble with setting the correct CORS policy on my bucket.

What I want to achieve: the bucket may by accessed by via any webpage of any domain, but only with GET method is allowed (so POST/PUT/DELETE are blocked) and from my own domain all methods are allowed.

I’ve tried this but seems not valid:

[
  {
    "AllowedOrigins": [
      "*"
    ],
    "AllowedMethods": [
      "GET"
    ]
  }
  {
    "AllowedOrigins": [
      "https://mydomain.com/"
    ],
    "AllowedMethods": [
      "GET",
      "PUT",
      "POST"
    ]
  }
]

Can anyone help me out how to achieve the correct CORS policy?