As covered in our article Does Cloudflare support Cross-origin resource sharing (CORS)? we offer support for CORS headers. Access-Control-Allow-Origin headers are often applied to cacheable content - font files, for example.
A web server will often respond with different Access-Control-* headers depending on the Origin header the browser sends in the request, and for that reason these requests are cached separately to each other.
If you have added or changed your CORS configuration on your web server, purging the Cloudflare cache by URL will not show you the latest headers. To force Cloudflare to retrieve the new version of the file, you can do one of two things:
1. Change the filename or URL - this will bypass the cache and Cloudflare will retrieve the latest headers immediately.
2. Purge everything and update the Last-Modified timestamp on your web server. Completing a full CDN purge will force Cloudflare to revalidate any items in its cache, but for this to get the new version of the file, you may need to update your server's last-modified time for the file. You can do this by running touch at the command line on the file e.g. "touch yourfile.extension" or by re-uploading the file via your FTP client.
Details on Purge Everything is here:
A future version of our API will allow URL purging for the different CORS requests to make this process easier.