Currently we allow "simple" CORS requests as per
MBS-2979. These don't use authentication, additional headers and use simple Content-type. They don't need any preflights and work fine.
Some clients make preflight requests though. Sometimes these are bugs, sometimes they support a wider range of servers with the same code.
One of these clients currently not working unpatched is swagger https://developers.helloreverb.com/swagger/ (see MBS-5307)
We should handle preflight requests as per http://www.w3.org/TR/cors/#resource-preflight-requests
(nice graphic in http://www.html5rocks.com/static/images/cors_server_flowchart.png)
We still don't allow submitting data per CORS. So no authentication/credentials and only the GET method.
Adding this feature wouldn't be a problem, but a potential security issue (malicious sites use a user-login)