upon developing a rest frontend for roundup i came across 
the need for so called CORS preflight requests. 

see https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request

basically this is a "OPTIONS" request that gets sent by the browser when 
you want to do CORS.

in frontend development i have a roundup-server running on port 8080 and 
a node.js server running on port 8081 where the frontend gets 
developed (vue.js with hot module reload etc.)

the web frontend gets loaded from the node.js server at port 8081 (to 
have all the fancy hot reloading working) and communicates with the rest 
api of the roundup server at port 8080 thus forming a nice CORS setup 
where the browser issues CORS preflight requests before any real 
request to ask the server what he is allowed to do.

attached is a patch that i have applied to make this working.

as i am not really deep in the CORS thing i am not sure if my solution 
covers all aspects of this or has any security impacts. 

the patch most likely also needs to be utilized for the xmlrpc frontend 
if it gets accessed from within a webbrowser - can't imagine who wants 
this, but maybe we should support it - but maybe it should be implemented 
for all web requests ? - could make sense to also talk to the html 
frontend directly via CORS from within another webpage.

so the patch is meant as a starting point to discuss how this can be added 
to roundup at all - and what i needed to start hacking with the rest api.

note that when you finally run the web frontend served from the same url 
where the rest api is running, you dont need this at all !

regards,
marcus.