Here's a sample request sent from a browser hitting http://example.org:
https://api.zenginehq.com/v1/workspaces -H "Origin: http://example.org" Origin: http://example.org Access-Control-Request-Header: X-Custom-Header
At present, all domains are currently accepted. OPTIONS preflight requests and their subsequent full requests respond with the following headers:
Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Headers: X-Custom-Header
Note that in the near future, the allowed origins will be limited to those registered with us as third-party applications.