Do you have PrivacyBadger Chrome extension installed? If so, either disable it or add a whitelist for *.box.comCORS requests to box.com subdomains seem to trigger it into blocking the request.
I'm trying to do a CORS preflight to check whether the file I'm uploading is already in the folder before uploading it. And failing. I've enabled CORS support for my app, got a developer token and...