Also, when developing locally using a self-signed certificate on your api server, Google Chrome seems to not accept the preflight Options after a few minutes. As in, if you do a PUT or DELETE, it will work initially, but after a few minutes, the OPTIONS request hangs at the “(pending)” stage.
I figured out this was the case after searching around and found http://stackoverflow.com/questions/14492686/cors-request-fails-in-chrome-only-if-has-headers, which led to this bug: https://code.google.com/p/chromium/issues/detail?id=96007.
The way around this is to start Chrome with web security disabled: google-chrome –disable-web-security (be sure to shut down ALL currently-used Chrome instances, and then issue the command. Otherwise, Chrome will start like normal and ignore the disable-web-security flag). This should only be done while testing and debugging your app locally on your VM. When it comes time for production, the fact that you have a valid certificate for your https api server, should make this a moot point.
Interesting to note that Firefox does not have a problem with CORS and self-signed certs.