Method DELETE is not allowed by Access-Control-Allow-Methods

I have setup a role that should allow all methods on all services. Everything works fine, except for the DELETE method. Is this a bug or a setting that I have missed?

The DSP is hosted on Heroku with the one-click setup that you have created.

Edit: Headers

Remote Address:myIp
Request URL:http://myUrl/rest/db/contacts/51
Request Method:OPTIONS
Status Code:204 No Content
Request Headersview source
Accept:*/*
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-GB,en-US;q=0.8,en;q=0.6
Access-Control-Request-Headers:x-dreamfactory-session-token, accept, x-dreamfactory-application-name
Access-Control-Request-Method:DELETE
Cache-Control:no-cache
Connection:keep-alive
Host:myUrl
Origin:http://localhost
Pragma:no-cache
Referer:http://localhost
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
Response Headersview source
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:Content-Type,X-Requested-With,X-DreamFactory-Application-Name,X-Application-Name,X-DreamFactory-Session-Token,X-HTTP-Method,X-HTTP-Method-Override,X-METHOD-OVERRIDE
Access-Control-Allow-Methods:OPTIONS
Access-Control-Allow-Origin:*
Access-Control-Max-Age:900
Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection:keep-alive
Content-Length:0
Content-Type:text/plain;charset=UTF-8
Date:Tue, 16 Dec 2014 12:51:32 GMT
Expires:Thu, 19 Nov 1981 08:52:00 GMT
Pragma:no-cache
Server:Apache/2.4.10 (Unix)
Set-Cookie:PHPSESSID=bth3nnj3n0s0u2cle8a9jlvkr7; path=/
Via:1.1 vegur
X-Dreamfactory-Origin-Whitelisted:0
X-Dreamfactory-Source:http://myUrl
X-Powered-By:PHP/5.6.3

Edit2: I’ve now changed the CORS settings to allow it, but this is the third time that I’ve done so. Why does the CORS setting revert?

Sorry about the issue on Heroku. See this post CORS settings keep on resetting. We’re working on a better solution for Heroku, but please try this workaround for now.