Comment 3 for bug 1680062

Yes adding allow_headers for Origin fixes it.

I also found that setting allow_headers in my glance-api.conf overrides all of the default glance headers, so I have to add back a bunch of the defaults like X-AUTH-TOKEN back to the list as well.

Since some browsers send "Origin" as a request header, shouldn't that probably be one of the defaults in the allowed_header list for the cors middleware? That's what I'm suggesting with the bug here.