In the message inspector you have added the CORS headers in every call which is not required. Applying CORS headers only for OPTIONS calls would have done the trick as well.
Plus you want to also specify the "Access-Control-Max-Age" header so as to cache the CORS call.
In the message inspector you have added the CORS headers in every call which is not required. Applying CORS headers only for OPTIONS calls would have done the trick as well. Plus you want to also specify the "Access-Control-Max-Age" header so as to cache the CORS call.