This is a server issue, so I'd leave out the ARequest.Headers business, at least as far as this is concerned.
The Apache configuration files are notorious for being picky about where things are defined. .htaccess files aren't any better. Taken together, they can be just as much fun as CORS, and should be considered willing accomplices to this crime.
All I can suggest there is triple-check that you've updated the .htaccess files correctly, that they're being applied to the content in question (you don't usually have to restart Apache unless you're changing its configuration files directly) and that you've done a hard refresh on your browser page so that Apache is forced to regenerate whatever it is sending you.