So I've tried looking through previous answers on here and nothing seems to be working. I'm using Dropzone, which appears to make an OPTIONS request to get all the allowed CORS related information, but it doesn't seem to be returning properly
So from looking in the Chrome dev tools, I have the following Request Headers
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Access-Control-Request-Headers: accept, cache-control, content-type, x-requested-with
Accept-Encoding: gzip, deflate, sdch
HTTP/1.1 403 Forbidden
Date: Fri, 28 Aug 2015 18:35:26 GMT
<?xml version="1.0" encoding="UTF-8"?>
Agh, it was super dumb. It seems according to the page on enabling CORS that for OPTIONS requests:
Every header listed in the request's Access-Control-Request-Headers header on the preflight request must match an AllowedHeader element.
Meaning I had to add a bunch of previously missing lines to my CORS policy
<AcceptHeader>accept</AcceptHeader> <AcceptHeader>cache-control</AcceptHeader> ...