Hi, I also struggled long with the cors topic. Until I finally found the problem.

        <filter-name>ContentCorsFilter</filter-name>
        <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
        <init-param>
            <param-name>cors.allowed.origins</param-name>
            <param-value>http://localhost:4200</param-value>
        </init-param>
        <init-param>
            <param-name>cors.support.credentials</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>cors.allowed.methods</param-name>
            <param-value>GET,POST,OPTIONS</param-value>
        </init-param>
        <init-param>
            <param-name>cors.allowed.headers</param-name>
            <param-value>Content-Type,X-Requested-With,Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
        </init-param>
    </filter>
    <filter>
        <filter-name>ContentHttpHeaderSecurityFilter</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <init-param>
            <param-name>antiClickJackingOption</param-name>
            <param-value>ALLOW-FROM</param-value>
        </init-param>
        <init-param>
            <param-name>antiClickJackingUri</param-name>
            <param-value>http://localhost:4200</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>ContentCorsFilter</filter-name>
        <url-pattern>/servlet/WindchillAuthGW/wt.content.ContentHttp/viewContent/*</url-pattern>
        <url-pattern>/servlet/WindchillGW/wt.fv.master.StandardMasterService/doDirectDownload/*</url-pattern>
        <url-pattern>/servlet/WindchillGW/wt.fv.replica.StandardReplicaService/doDownload/*</url-pattern>
        <url-pattern>/servlet/WindchillGW/wt.fv.replica.StandardReplicaService/doIndirectDownLoad/*</url-pattern>
        <url-pattern>/servlet/WindchillGW/wt.fv.uploadtocache.DoUploadToCache_Server/doUploadToCache_Master</url-pattern>
        <url-pattern>/servlet/WindchillGW/wt.fv.uploadtocache.DoUploadToCache_Server/doUploadToCache_Replica</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>ContentHttpHeaderSecurityFilter</filter-name>
        <url-pattern>/servlet/WindchillAuthGW/wt.content.ContentHttp/viewContent/*</url-pattern>
        <url-pattern>/servlet/WindchillGW/wt.fv.master.StandardMasterService/doDirectDownload/*</url-pattern>
        <url-pattern>/servlet/WindchillGW/wt.fv.replica.StandardReplicaService/doDownload/*</url-pattern>
        <url-pattern>/servlet/WindchillGW/wt.fv.replica.StandardReplicaService/doIndirectDownLoad/*</url-pattern>
        <url-pattern>/servlet/WindchillGW/wt.fv.uploadtocache.DoUploadToCache_Server/doUploadToCache_Master</url-pattern>
        <url-pattern>/servlet/WindchillGW/wt.fv.uploadtocache.DoUploadToCache_Server/doUploadToCache_Replica</url-pattern>
    </filter-mapping>

 My problem was, that the tag cors.allowed.headers did not have the appropriate header information in it. This is just missing in the WNC help.

Access-Control-Allow-Origin,Access-Control-Allow-Credentials

Adding the above entries to the codebase/WEB-INF/web.xml  solved all my CORS problems.