This is because Magento has no built-in method for handling OPTIONS requests and will return a 400 error in response.
An API call using Angular JS should do the trick
Steps to reproduce
Have a running Magento install with a valid API account
Obtain an authorization key to create an API request
Make any request via AJAX in a standard browser (with valid authentication headers and request data)
The API receives an OPTIONS request for the API endpoint and provides valid CORS headers in response
The AJAX call verifies the CORS headers and proceeds to make the API call
The API receives an OPTIONS request for the API endpoint and fails, returning a 400 response
The AJAX call fails to validate CORS headers and stops
You can work around this by modifying the HTML server to return a valid response when any OPTIONS request is made, but this is less than ideal. Ideally each individual API endpoint can return valid CORS headers, and other pages will fail or disallow such requests.