Could you allow the following in the Access-Control-Allow-Headers

x-csrf-token

Currently when attempting to read from the header: Request header field x-csrf-token is not allowed by Access-Control-Allow-Headers in preflight response

Ideally if your solution could pick up this token from the site and pass it through automatically, that would be ideal. Working on a script to do this automatically, if possible).