I just experienced this same issue, trying to enable CORS globally. However I found out it does work, however only when the request contains a Origin
header value. If you omit the origin
header value, the response will not contain a Access-Control-Allow-Origin
.
I used a chrome plugin called DHC to test my GET request. It allowed me to add the Origin
header easily.