Putting all the knowledge I find on CORS, needs of various HTTP verbs, and specific browser needs here.
Access-Control-Allow-Headers should be set to "*" only for OPTIONS requests. If you return it for POST requests Chrome will cancel the request.
Works for GET preflight: Access-Control-Allow-Origin: {origin} Access-Control-Allow-Methods: GET, POST, PUT, DELETE Access-Control-Allow-Headers: Authorization, Content-Type