A preflight request (which will be OPTIONS rather than POST) must respond with the permission in the response header.
Your server needs to respond to it with a 200 OK
response and appropriate Access-Control-Allow-...
origin headers.
More details: https://stackoverflow.com/a/8689332/1461181