How do CORS and Access-Control-Allow-Headers work?

I am trying to make a CORS POST request from domain.com on a.domain.com.

My javascript looks like this

$('#fileupload').fileupload({ xhrFields: { withCredentials: true }, dataType: 'json', url: $('#fileupload').data('path'), singleFileUploads: true, add: function(e, data){ data.submit(); } }); 

First I see the OPTIONS route, called like this:

 Request URL: https://a.domain.com/some/route Request Method:OPTIONS Status Code:200 OK 

REQUEST FOR OPTION:

 Access-Control-Request-Headers:origin, content-type, accept Access-Control-Request-Method:POST Host:a.domain.com Origin:http://domain.com:3000 Referer:http://domain.com:3000/home 

RESPONSE OPTIONS

 Access-Control-Allow-Credentials:true Access-Control-Allow-Methods:POST Access-Control-Allow-Origin:http://domain.com:3000 Connection:keep-alive Content-Length:0 Content-Type:text/html;charset=utf-8 

This request returns with 200 as indicated. On my server, I have the same route with the POST method, and this is what I get in return after OPTIONS

 Request URL:https://a.domain.com/some/route 

AFTER REQUEST

 Content-Type:multipart/form-data; boundary=----WebKitFormBoundaryjwr5Pk7WBcfzMdbO Origin:http://domain.com:3000 Referer:http://domain.com:3000/home 

and the POST request is canceled / fails.

My question is: do I also need access-source-source access control on a POST controller?

I have a cookie for authorization with the domain .domain.com , which received a cookie at the same time in the request and it is not sent now. Any idea why this will happen?