Better CORS header.
Use Access-Control-Allow-Origin: *
instead of
Access-Control-Allow-Origin: foo.com
. Chrome (and potentially other
browsers) have a habit of caching a response the includes the latter and
then reusing it for other origins, causing a CORS failure.