This is mostly a note to myself because for some reason when testing CORS headers I nearly always manage to forget to include the Origin header.

For completeness here’s an example using curl:

curl -v --request OPTIONS 'localhost:8080' --header 'Origin: http://example.com'

Here’s an example of doing an OPTIONS request to test authorization against AWS S3:

curl --head --request OPTIONS \ 
    --header 'origin: https://www.example.com' \ 
    --header 'Access-Control-Request-Method: GET' \ 
    https://s3.amazonaws.com/example/path/to/object/my-image.jpg

NOTE: Probably more to the story but CORS seems very expensive! In my completely non-scientific tests CORS added 3x cost to the speed of the request.