"Exposed Headers" property should not be empty as it allows client JavaScript to fetch an XSRF token.
The key part in CORS implementation is to get HANA XS to authenticate a user and retrieve an XSRF token before making "useful" CORS calls. That is why Jung's code example makes two web-service calls.
My .xsaccess has the following configuration that makes above possible:
"allowHeaders": [
"Accept",
"Authorization",
"Content-Type",
"X-CSRF-Token"
],
"exposeHeaders": [
"x-csrf-token"
]
Alexei