Cross-domain chunked uploads using CORS

The POST won't leave the browser if the preflight check does not return sufficient permissions and thus the POST request is not fully authorized. The request/response included in the question does look sufficient to me.

• Are you sure you are setting withCredentials = true in your XMLHttpRequest?
• Are you sure that you have valid (not self-signed) SSL certificates on your servers? The HTTPS might fail the CORS check even if you have added an exception for browsing the site with an invalid certificate.
• Have you tried emptying your cache? You have Access-Control-Max-Age: 10000 set in your response headers. That's close to 3 hours. I know you've been working on this longer than that but while testing especially, set that header to zero instead so you don't go crazy with browser caching of old access permissions.

In general I'd start with going as permissive as possible with the CORS headers and slowly ratcheting up the the security to see where it fails. However, this is not completely straightforward. For example, according to the MDN documentation on CORS,

When responding to a credentialed request, server must specify a domain, and cannot use wild carding. The above example would fail if the header was wildcarded as: Access-Control-Allow-Origin: *

When I send the request part of your question to https://cors-test.appspot.com/test, I get back the following:

HTTP/1.1 200 OKCache-Control: no-cacheAccess-Control-Allow-Origin: https://server.local:8443Access-Control-Allow-Headers: content-disposition,content-type,x-content-range,x-session-idAccess-Control-Allow-Methods: POSTAccess-Control-Max-Age: 0Access-Control-Allow-Credentials: trueCache-Control: no-cacheExpires: Fri, 01 Jan 1990 00:00:00 GMTContent-Type: application/jsonContent-Encoding: gzipContent-Length: 35Vary: Accept-EncodingDate: Thu, 23 May 2013 06:37:34 GMTServer: Google Frontend

So you can start from there and add more and more security until it breaks to figure out what is the culprit.