CORS is real. The part that really tripped me up, is the preflight OPTIONS request.

You can handle this options request in Rails with a nice routing constraint.

match '*', to: 'cors#handle', via: %i(options)

Then set your Access-Control-[Whatever] headers accordingly, and you’re in business.