I've been working with Ember.js in a Windows environment lately. The Ember apps are actually backed by some simple ASP scripts that provide JSON data with the CORS header. Things were working quite well until all of my data calls started being refused because of CORS.
Here was my process:
1. If I brought up the console and ran a simple $.getJSON or $.get query on the URL, I received the same CORS error that the header was missing, and the Network tab showed the header was missing.
2. If I brought up the URL in a separate browser tab, things loaded just fine, and the Network tab in the debugger showed the CORS header was present.
3. I finally got my clue when I noticed a 401 error in the console as well. Digging down further I found the data call was actually receiving an unauthorized access html page, which of course had no CORS header. It turns out the security settings had been changed on IIS, making the normal pages load, but causing the AJAX calls to fail.
To solve this, I did the following:
1. Open IIS Manager, select the directory where your ASP files are located.
2. Open Authentication under IIS.
3. Right click on Anonymous Authentication and edit.
4. Select Application Pool Identity.
5. Restart the site.
Thanks to this StakOverflow question for the answer.