I have learned that you can add the following in a PHP script to allow Cross-Origin Requests:
header("Access-Control-Allow-Methods: PUT, GET, POST");
header("Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept");
CORS checking is implemented by the client, when it receives the response. If the client and server are not in the same domain, the client checks the response to see if it contains the
Access-Control-Allow-XXX headers appropriate to the request. If not, it ignores the response and reports an error.
So nothing prevents the PHP script from running. It can perform its own checks of the request headers and form parameters, and decide whether to allow the operation.