We were trying to enable CORS on our Staging server and no matter what setting we enable or tweak in our security layer it appears the CORS functionality is not working with Sitefinity although its apparently enabled.
To ensure it was not a problem with the configuration on the Staging server, I downloaded the latest Sitefinity Empty SampleProject found here: https://github.com/Sitefinity-SDK/Telerik.Sitefinity.Samples.EmptyProject/tree/release91 and I was able to reproduce the exact same problem locally.
Attached you will find two screenshots.
WebRequest with Error.png will show you the entire debug window from the developer tools from within Google Chrome.
WebService options.png shows you the options set against that specific web service and showing CORS is enabled.
Also with a direct quote from the official Sitefinity Documentation on CORS: http://docs.sitefinity.com/define-the-access-permissions
Every request from every domain will be allowed. We do not recommend this, because there may be malicious users who would try to exploit the service. We recommend to specify only domains that are trusted."
Hopefully this can be addressed and thanks to anyone who has any information or suggestions on this issue.