Hi Ken, the problem is not as simple as it looks like. We cannot use "simple" headers, because if a browser detects any cross-domain query (different protocol/domain or port), it will make a "preflight" OPTIONS request and if there are no proper CORS headers in the response, the browser will refuse to make the real request (from JavaScript). There is no way to disable these preflight requests (these are generated internally by browsers). Correct CORS headers for CardDavMATE/CalDavZAP looks like: Access-Control-Allow-Origin * => everybody can make request to this server Access-Control-Allow-Methods GET,POST,OPTIONS,PROPFIND,REPORT,PUT,MOVE,DELETE,LOCK,UNLOCK => all allowed methods (even if you return something like "unsupported" or "not implemented" for some of them) Access-Control-Allow-Headers User-Agent,Authorization,Content-type,Depth,If-match,If-None-Match,Lock-Token,Timeout,Destination,Overwrite,X-client,X-Requested-With => all standard headers used by dav clients/browsers (sometime you need to add another one for new client ... so it is good to have a configuration option for additional headers) JM On May 29, 2013, at 4:28 PM, Ken Murchison <murch(a)andrew.cmu.edu> wrote: