This comment is misleading, as it seems to imply that we get cors support out of the box for all those methods. Then it mismatches the default setting here.
And even further, by default (unless something is explicitly configured, no methods are returned under Access-Control-Allow-Methods header.
