I'm running into a similar issue as this post but the best answer did not help me out. If anybody has any other ideas, I would greatly appreciate it. Here are the requests:

Request Headers

OPTIONS

Access-Control-Request-Method:  POST
Access-Control-Request-Headers: content-type,x-annotator-auth-token,x-csrftoken

Response Headers

Access-Control-Max-Age: 3600
Access-Control-Allow-Origin:    http://localhost:8000
Access-Control-Allow-Methods:   GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS
Access-Control-Allow-Headers:   content-length, content-type, x-annotator-auth-token, x-requested-with, x-csrftoken
Access-Control-Allow-Credentials:   true

It returns with a status code of 200. The actual request contains content-length, content-type, x-annotator-auth-token, and x-csrftoken but gets no status code as if it never fired. Again any help would be appreciated! Thanks

response.addHeader("Access-Control-Allow-Origin", "*"); 

or

response.addHeader("Access-Control-Allow-Credentials","true");  

and

response.addHeader("Access-Control-Allow-Methods", "GET, PUT, POST, DELETE, OPTIONS");  
response.addHeader("Access-Control-Allow-Headers", "Content-Type, X-Experience-API-Version,Authorization");  
//add this into your response header and it will work