CORS pre-flight comes back with Access-Control-Allow-Origin:*, browser still fails request

change your Access-Control-Allow-Methods: 'GET, POST' to 'GET, POST, PUT, DELETE'

before:

   app.use(function(req, res, next) {        res.setHeader('Access-Control-Allow-Origin', '*');        res.setHeader('Access-Control-Allow-Methods', 'GET, POST');        res.setHeader('Access-Control-Allow-Headers', 'X-Requested-With,content-type, Authorization');        next();    });

After:

app.use(function(req, res, next) {    res.setHeader('Access-Control-Allow-Origin', '*');    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT ,DELETE');    res.setHeader('Access-Control-Allow-Headers', 'X-Requested-With,content-type, Authorization');    next();});

I recently had the same issue. The problem is that the Access-Control-Allow-Origin header (and, if you use it, the Access-Control-Allow-Credentials header) must be sent in both the preflight response and the actual response.

Your example has it only in the preflight response.

Is your web server/get function ALSO including the HTTP header: Access-Control-Allow-Origin? I eventually found success with that addition, using AngularJS 1.0.7 and a remote Java servlet. Here is my Java code snippet--no changes were required in AngularJS client:

Servlet:

@Overrideprotected void doOptions(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {    // Send Response    super.doOptions(request,  response);    response.setHeader("Access-Control-Allow-Origin", "*");    response.setHeader("Access-Control-Allow-Headers", "Content-Type, X-Requested-With");}@Overrideprotected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {    /* ... */    response.setHeader("Access-Control-Allow-Origin", "*");}

A more elegant alternative is a servlet filter.