Most likely your AllowedOrigins string does not match the browsers domain for the page hosing the JavaScript making the call.
The origin is either a wildcard (*) or fully specified protocol, domain (no wildcard support) and port.
note: the browser implements the CORS logic, the servers only job is render the allowed origin header.
to help you more, post the server origin values, and the browser’s url of the page hosting the JavaScript api request. Also the full CORS error message in the browser.