A preflight request (which will be OPTIONS rather than POST) must respond with the permission in the response header.
Your server needs to respond to it with a 200 OK response and appropriate Access-Control-Allow-... origin headers.
More details: https://stackoverflow.com/a/8689332/1461181