I want to set the allow_origin to a sub domain, for example app.example.com where the Plone site is running on example.com. The plone.rest package provides a zcml setting for that, but i don't see any allow_origin headers after adding this setting as described in the docs:
"CORS policies can be bound to specific interfaces of content objects and to specific browser layers. This allows us to define different policies for different content types or to override existing policies. The following example defines a policy for the site root.
The config works indeed, i have added some more allowed headers, which makes sense like:
DNT,
X-Requested-With
If-Modified-Since
Cache-Control
The main issue, was that i had a problem in the backend, the CORS message was just missleading.
So make sure that you cache errors correctly and everything works.