For anyone looking to implement this scheme, consecutive CORS redirects are simply not supported to protect the user's privacy.

The best mitigation I've found is to respond to the first redirect with a webpage that has a built in script which issues the second redirect. This allows chrome to fill the ORIGIN header correctly and allows either CORS Middleware or the enable-cors annotation to facilitate the preflight requests "one at a time".