Hi John,

sorry for not answering for that long, but i was off for sick-leave :(

Thanks for the patch, i have tested it and it works !

unsetting allowed_api_origins leads to a 400, setting it to * or
http://localhost:8081 (where the frontend server is running) works :)

so i think for this we can apply this patch and go ahead ;)

btw: as per your request, here are the headers from the preflight 
request as seen from devtools:

request:

OPTIONS 
/t/rest/data/time_activity?@sort=name&@verbose=0&@fields=name,id,description,travel&is_valid=1 
HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,de;q=0.8
Access-Control-Request-Headers: content-type,x-requested-with
Access-Control-Request-Method: GET
Cache-Control: no-cache
Connection: keep-alive
Host: localhost:8080
Origin: http://localhost:8081
Pragma: no-cache
Referer: http://localhost:8081/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, 
like Gecko) Chrome/101.0.4951.64 Safari/537.36

answer:

HTTP/1.1 204 No Content
Server: BaseHTTP/0.3 Python/2.7.18
Date: Tue, 07 Jun 2022 09:49:24 GMT
Access-Control-Allow-Methods: OPTIONS, GET, POST
Access-Control-Max-Age: 86400
Vary: Origin, Origin
Allow: OPTIONS, GET, POST
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://localhost:8081
Access-Control-Allow-Headers: Content-Type, Authorization, 
X-Requested-With, X-HTTP-Method-Override

thanks for the nice work and good support !

regards,
marcus.