CORS is really strict about headers. Only Accept/Accept-Language/Content-Language can be replaced with arbitrary field values. This behavior is only intended to “secure” poorly designed apps, e.g. those ones who rely on X-Requested-With as a CSRF protection. CORS-* headers are not going to be useful to hack currently existing apps, but will remove futile preflight requests. To perform state-changing requests you need to know csrf_token anyway, to read the response you need suitable Access-Control-Allow-Origin.”]
Source: http://homakov.blogspot.com/2014/01/how-to-use-cors-without-preflights.html