I was trying to POST data from a form, but it was sending a CORS preflight request first.
I could handle this case by adding
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT
Access-Control-Allow-Headers: content-type
to the returned headers, and then at least the POST data was submitted. But then I had no control over the response to the POST.