If origin is set to * no headers are sent.

[resistdesign]

If origin is set to * it is not sent. It doesn't matter if it's left as the default or set explicitly.

[nucleartide]

Hey, @resistdesign! I had the same problem, but from reading the tests it seems like you have to send an Origin header in your request. Here's an example with curl, it'll hit an endpoint that returns "hello world":

$ curl -H "Origin: *" --verbose http://localhost:4000/
* Hostname was NOT found in DNS cache
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 4000 (#0)
> GET /helloworld HTTP/1.1
> User-Agent: curl/7.37.1
> Host: localhost:4000
> Accept: */*
> Origin: *
>
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: *
< Content-Type: text/plain; charset=utf-8
< Content-Length: 11
< Date: Tue, 12 Jan 2016 16:04:14 GMT
< Connection: keep-alive
<
* Connection #0 to host localhost left intact
hello world

[dougwilson]

@nucleartide is correct. Just having CORS enabled does not just blindly send back response headers; the request itself needs to be a CORS request to the server (either a simple request or a pre-flight request). You can read more details about how CORS works at http://www.w3.org/TR/cors/

@resistdesign , can you show the full request and headers you are making, and what the response headers you are getting a highlight to us what is not meeting your expectation?

[resistdesign]

@nucleartide Thank you!

@dougwilson I don't even remember what I was doing now, sorry :P