Welcome to the CORS party. You can search around here for plenty of painful posts about CORS. It's hit me over the head more times than I care to think about.
The short version is that you probably need to add that header to the server, not to the client.
And yes, it can be the case that it works fine from the browser and not from the client. In fact, that's usually the case with CORS.
CORS is so troublesome, in fact, that Bruno recently pinned a new topic to the top of the TMS WEB Core section of the Support Center.