From a browser, an XMLHttpRequest to a CSP page on a different server will obviously hit the CORS security check.
To get around this I can set the Access-Control-Allow-Origin header on that particular CSP class.
However, setting any request headers on the XMLHttpRequest object will trigger a pre-flight OPTIONS request.
This OPTIONS request is not handled by the target CSP page and the Access-Control-Allow-Origin header is never set, triggering a CORS error.