just a shot in the dark since i saw this once...is

st-auth-mode

header present in your cors configuration?