I spent a few hours on this, it looks like we can’t add custom headers on a preflight request. We’re using JQuery/Backbone/Marionette, and some of the cross origin requests (HTTP POST and GET with custom headers) are causing a preflight request to happen.
Apparently the preflight requests are generated by the browser, and we can’t control the headers in that request. The server needs to handle the HTTP OPTIONS request properly and return a 200 code in order for the request to continue.
In my case, the OPTIONS request was going to a resource requiring authentication, so I’m thinking that I need to allow OPTIONS requests to get a response without authentication.
Here’s the helpful resource that I ran across. http://www.sencha.com/forum/showthread.php?265119-Authorization-header-not-sent-on-preflight-OPTIONS-request