It seems that some browsers like Chrome allow me to proceed with the POST regardless of the error message in the OPTIONS response. But I don't consider this solved.
Look at the Fidler screenshots of the OPTIONS request it has
Access-Control-Allow-Origin: http://hybridwebapp.com
And yet the error:
The origin http://hybridwebapp.com is not allowed
That is completely contradictory it's as if it's ignoring the header.
Look at the Fidler screenshots of the OPTIONS request it has
Access-Control-Allow-Origin: http://hybridwebapp.com
And yet the error:
The origin http://hybridwebapp.com is not allowed
That is completely contradictory it's as if it's ignoring the header.