After dealing with this for several hours, I'm honestly curious as to why the Cross Origin Resource Sharing specification is so complex. How does the dance actually improve security? Would it not be as effective to just check the headers of the response, rather than making a separate OPTIONS request?
EDIT: Thanks for the link! Maybe my question will be more Googleable so people find the other answer more often.