What's an example pre-flight request that is failing? Most of them should be hooked up, so I would like to see which specifically is being called.

This is a security rule employed by most most moderns browsers in the CORS definition.

Basically, the OPTION preflight request will apply if :

• Your request type is not GET, HEAD or POST
• If it's a POST request, it will aply if your content-type header is not in : "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain"

(I assume that your request is a POST with the content-type set to application/xml or application/json)

But it's not a problem, it's a safety measure. You just have to configure your server to respond to OPTION request with a status 200 and a header "Access-Control-Allow-Origin: *"

What is your backend setup ?

This is my post request

validateRequestToken(user){
       const httpOptions = {
        headers: new HttpHeaders({
        'Content-Type': 'application/json'}),
        };

     return this.http.post('https://api.themoviedb.org/3/authentication/token/validate_with_login?api_key=' + apiKey,  user, httpOptions).map(response =>{
        return new RequestToken(response); 
      })
 }

It sends pre-flight request, but it's not clear to me what should I do and is there a way to solve this without proxy and is this desirable behavior?

OPTIONS is enabled on most (was supposed to be all ) endpoints but indeed, it was not enabled on the /3/authentication endpoints. I have a deploy going out later today that will enable it. I'll let you know when it's live.

Thank you very much for clarification and your help! ;)

OPTIONS should be enabled now on the /3/authentication methods. Let me know if you run into any more trouble.

Thanks Travis! ;-)