browsers (which have gotten very picky over the years). Add "Access-Control-Allow-Origin" to XMLRPC responses. Add "Access-Control-Allow-Methods" and "Access-Control-Allow-Headers" to the HTTP OPTIONS response (used in CORS pre-flight request).
e19defd