The server determines what headers are allowed, what methods are allowed, and what hosts are allowed.

access-control-allow-xxx are a server-to-client headers, and for all practical purposes, no servers will accept them.

Concerning CORS

Remove your access-control.xxx headers and then look at the response. If denied, the server will let you know why.

If you do not have access to the server, and your host, method, and/or client-headers are denied, all you can do is use a proxy (forward your calls from the browser to an intermediate server). You will need access to some server for that however.