Our CORS replies by the API are not implemented 100% according to the spec. We should do some cleanup.
We handle preflight in includes/api/ApiMain.php on line 381 by always stopping processing if the request is an OPTIONS request.
However, that means, as far as I can tell, that we return the same CORS response headers on the preflight and the actual request (which is not how preflight is intended to be used) and we do not output Access-Control-Allow-Methods which we should output for a 'proper' preflight request.
http://www.html5rocks.com/static/images/cors_server_flowchart.png
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS