Just to confirm: the purpose of the CORS plugin is to provide a CORS frontend to a service which does not currently have CORS. It is not to bypass CORS on a backend service that *already* has CORS.
I believe you may be misunderstanding how the CORS protocol works.
The browser first executes the preflight request, THEN it separately and subsequently executes the real request. So, if you were attempting to execute an OPTIONS request then you would execute 2 separate calls. This is done on your behalf transparently by the browser.
The 'real' call is approved by virtue of the preflight request, and does not require the CORS headers you're including (which make it look like a preflight request).
If you are doing a *simple* request, as per the CORS specification, then no preflight is required and you embed the headers in the 'real' request as your samples show.
Does this resolve your issue?