This isn't CORS related -- it's S3 itself. The S3 website endpoints are only equipped for GET and HEAD. Anything else should be denied before the redirection rules are checked.
Website Endpoint
Supports only GET and HEAD requests on objects.
> http://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteEndpoints.html
So how your API will work then ?

This isn't CORS related -- it's S3 itself. The S3 website endpoints are only equipped for `GET` and `HEAD`. Anything else should be denied before the redirection rules are checked.
>Website Endpoint
>Supports only GET and HEAD requests on objects.
>— http://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteEndpoints.html