diff -r ac0df9272162 roundup/cgi/client.py
--- a/roundup/cgi/client.py	Tue May 03 13:16:28 2022 -0400
+++ b/roundup/cgi/client.py	Wed May 04 08:04:00 2022 +0200
@@ -608,6 +608,35 @@
             self.determine_language()
         # Open the database as the correct user.
         # TODO: add everything to RestfulDispatcher
+
+        # handle preflight request
+        if (   self.env['REQUEST_METHOD'] == "OPTIONS"
+           and self.request.headers.get ("Access-Control-Request-Headers")
+           and self.request.headers.get ("Access-Control-Request-Method")
+           and self.request.headers.get ("Origin")
+           ):
+            self.setHeader(
+                "Access-Control-Allow-Origin",
+                self.request.headers.get ("Origin")
+                )
+            self.setHeader(
+                "Access-Control-Allow-Methods",
+                "OPTIONS, GET, POST, PUT, DELETE, PATCH"
+                )
+            self.setHeader(
+                "Access-Control-Allow-Credentials",
+                "true"
+                )
+            self.setHeader(
+                "Access-Control-Allow-Headers",
+                "Content-Type, x-requested-with, x-http-method-override"
+                )
+            self.setHeader("Access-Control-Max-Age", "86400")
+            self.setHeader("Content-Type", "text/plain")
+            self.setHeader("Content-Length", "0")
+            self.write ("")
+            return
+
         try:
             self.determine_user()
             self.db.tx_Source = "rest"
diff -r ac0df9272162 roundup/rest.py
--- a/roundup/rest.py	Tue May 03 13:16:28 2022 -0400
+++ b/roundup/rest.py	Wed May 04 08:04:00 2022 +0200
@@ -2162,7 +2162,10 @@
         data_type = ext_type or accept_type or headers.get('Accept') or "invalid"
 
         # add access-control-allow-* to support CORS
-        self.client.setHeader("Access-Control-Allow-Origin", "*")
+        self.client.setHeader(
+            "Access-Control-Allow-Origin",
+            self.client.request.headers.get ("Origin")
+            )
         self.client.setHeader(
             "Access-Control-Allow-Headers",
             "Content-Type, Authorization, X-Requested-With, X-HTTP-Method-Override"
@@ -2175,6 +2178,10 @@
             "Access-Control-Allow-Methods",
             "HEAD, OPTIONS, GET, POST, PUT, DELETE, PATCH"
         )
+        self.client.setHeader(
+            "Access-Control-Allow-Credentials",
+            "true"
+        )
         # Is there an input.value with format json data?
         # If so turn it into an object that emulates enough
         # of the FieldStorge methods/props to allow a response.