Earlier today I helped a buddy of mine who was trying to get CORS working with ColdFusion. He followed my simple tip (Enable CORS for ColdFusion Services) but it didn't work. I did some digging and this is what I found.
The first thing I did was to open up his service directly in my browser. I knew I could use Chrome's DevTools to look at the header responses from his service. This is what I saw.
See the funky crap around the Access-Control-Allow-Origin line? That was my clue. I asked him for the code and this is what I saw:
See it? The quotes around the header name and value are those funky smart quotes (they probably have a more formal name) and not "regular" quotes (compare to the name of the function above). So... yeah. They suck.