CORS iRule Problem

SiteA and siteB are behind the same VIP, I just use an iRule to determine which pool gets hit based on the URL and they both get authenticated by APM.

I wrote this based on my understanding of CORS, but when I look at the traffic in fiddler, I never see a CORS header. Anyone who's done this know where I might be going wrong or if I'm completely misunderstanding how CORS is supposed to work?

I've read a few other posts on here related to CORS, but the solutions didn't seem to work for me.

Any help is appreciated!

This board would not let me post this as one message, kept saying its spam. Here's the iRule

when HTTP_REQUEST {

 set Origin [HTTP::header Origin]

 if { [HTTP::header exists Origin] } {
        log local0. "We found an origin header:[HTTP::header Origin]"
        if { [HTTP::header Origin] eq "https://siteA.domain.com" } {
            log local0. "it did equal siteA $Origin and the method is [HTTP::method]"
            switch [HTTP::method] {
                "OPTIONS" {
                    log local0. "hitting the OPTIONS response"
                    HTTP::respond 200 noserver  Allow "GET,HEAD,POST,OPTIONS" \
                                                    Access-Control-Allow-Origin "[HTTP::header Origin]" \
                                                    Access-Control-Allow-Methods "GET,POST" \
                                                    Access-Control-Max-Age "86400" \
                                                    Access-Control-Allow-Credentials "true"
                    return
                               }
                               "GET" {
                                   log local0. "method is get setting the Origin variable with [HTTP::header Origin]"
                                   set Origin [HTTP::header Origin]
                }
                "POST" {
                                   log local0. "method is get setting the Origin variable with [HTTP::header Origin]"
                                   set Origin [HTTP::header Origin]
                }
            }
        } else {
            log local0. "The origin header did not match siteA $Origin"
            if {[HTTP::method] eq "OPTIONS"} {
                    log local0. "Wasnt siteA and method was options"
                    HTTP::respond 200 noserver Allow "GET,POST,HEAD,OPTIONS"
                    return
                }
        }
 }

}

when HTTP_RESPONSE {

 log local0. "The variable origin has a value of $Origin"
    if {$Origin ne ""} {
       log local0. "Adding in an origin header $Origin"
       HTTP::header insert "Access-Control-Allow-Origin" $Origin
       HTTP::header insert "Access-Control-Allow-Methods" "GET,POST"
       HTTP::header insert "Access-Control-Max-Age" "86400"
       HTTP::header insert "Allow" "GET,HEAD,POST,OPTIONS"
    }
    log local0. "inserting Vary and Origin"
    HTTP::header insert "Vary" "Origin"
}

It looks like my problem is with the response, the log shows a ton of "The variable has a value of" messages with nothing for the $Origin value; I'm pretty sure this should have a value. It looks like I never get a log message saying "Adding in an origin header $Origin"; does anyone see anything that might be wrong with how I'm doing this?

Hello,

Use

Access-Control-Allow-Headers "Origin, Content-Type, Accept, Xx, Yy, Zz, etc" \

-Harsha.