Access-Control-Allow-Origin not working correctly

I'm making a cross domain POST request. I added Access-Control-* headers to the web server, but Google Chrome javascript console raises:

XMLHttpRequest cannot load http://api.share开发者_运维知识库e.dev:3000/assets.json. Origin http://sharee.dev:4000 is not allowed by Access-Control-Allow-Origin.
POST http://api.sharee.dev:3000/assets.json undefined (undefined)

Here are all the packets that are transferred during the request: http://pastie.org/1882455

As you can see it stills sends the POST request after OPTIONS request. It doesn't work in Firefox either. Firefox shows that POST request was sent to the server and the response code was 200, but the response itself is empty.

The Access-Control-Allow-Origin and Access-Control-Allow-Credentials headers should be a part of any CORS response (including the preflight OPTIONS request and the POST request). Your current example shows them only on the OPTIONS response.

you can check the answer for the following post in superuser. I had happened to post the problem on chromium-dev google groups a while back.

https://superuser.com/questions/384871/how-to-override-access-control-allow-origin-restriction-in-google-chrome

Grappling with exactly the same myself but with my server access, finally proxied all such calls to get it running. But this will not be ideal in distribution. Have you tried matching up headers and/or values requested vs. those responded? Also, in my research, browser version can play. Please give the exact versions you are debugging now.

I think you need to put the Access-Control headers on the POST response as well?