Cross-domain Ajax with Cross-Origin Resource Sharing | NCZOnline: "Access-Control-Allow-Origin – same as in simple requests.
Access-Control-Allow-Methods – a comma separated list of allowed methods.
Access-Control-Allow-Headers – a comma separated list of headers that the server will allow.
Access-Control-Max-Age – the amount of time in seconds that this preflight request should be cached for."
'via Blog this'