The CORS headers which worked for me on PHP Apache and Chrome are:
header(“Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS”);
For every POST, PUT, DELETE there are 2 requests (if you don’t cache the result).
The first is apparently refused, but in the header “accept” is passed in the first response which appears unsuccessful if you are not keeping an eye on the headers here:
Then the next request appears to ask again, but this time succeeds at the PUT, POST or DELETE.
HTTP/1.1 200 OK Date: Sat, 21 Feb 2015 21:19:08 GMT Server: Apache Access-Control-Allow-Origin: http://localhost:3000 Access-Control-Allow-Credentials: true Access-Control-Max-Age: 24000 Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Headers: accept, content-type Content-Length: 77 Content-Type: application/json; charset=utf-8