The Linux guys are calling my service using $http.get and they asked me to put all of these in my response:
Access-Control-Allow-Origin: * Access-Control-Allow-Headers: X-Requested-With Access-Control-Allow-Headers: Content-Type Access-Control-Allow-Methods: PUT, GET, POST, DELETE, OPTIONS This got us through the first call, but in the second call they have to add a custom request header containing a login token from the first call, and that resulted in an OPTIONS request, which left me really confused. However, this morning I have already learned why that OPTIONS request was generated. This guy <https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS> explains what what I'm seeing is a "preflight" request. I'm still reading ... I'm not sure I can completely bypass SOP by using CORS response headers, or if I need to handle preflight requests as well. *Greg*
