The first option forces the value of the "origin" request header which will also become the value of the "access-control-allow-origin" response header. It's useless for most people and only there for testing purposes.

The whitelist defines which values of "origin" are allowed to bypass CORS when the addon is active. It's a list of fully qualified regular expressions, with delimiters and flags, separated by newlines.
See also this: https://github.com/spenibus/cors-everywhere-firefox-addon/issues/23#issuecomment-447669576