There is one detail that is confusing to me, as the issue does not happen if CORS is disabled, I can upload and delete files without trouble. So if I'm not explicitly enabling any CSRF filter, how is that is enforced/applied with the CORS filter? (I think you are right that having POST allowed, it must be something else).

I looked at the request headers to see I there was something missing and found X-LABKEY-CSRF, but adding it to the cors.allowed.headers does not change things