If server returns the "X-Request" after "X-Requested-With" in the "Access-Control-Allow-Headers" the "X-Requested-With" header will be ignored, thus browser will return error "X-Requested-With is not allowed by Access-Control-Allow-Headers".
My workaround was to comment out "X-Request: JSON" in the "Request.JSON.initialize()".
Request: Add a note about CORS allowed headers to Request docs.
Also fixes #2494.
Thanks @5HT2A for reporting the docs problem and helping to debug and verify above mentioned issue.