I got this to work, but CorsFilter is picky!

1. Content-Type can not be blank. Setting it to "application/x-www-form-urlencoded" works.
2. Using API keys to log in did work (still playing with regular Cookie/JSESSION authentication)
3. For other developers trying to repro, you need to include the non default ports in the CORS config e.g. http://localhost:8080

xhr.open('POST', 'http://lk:8080/labkey/_webdav/home/%40files/1.jpg?method=DELETE');
xhr.setRequestHeader("Authorization", "Basic " + btoa('apikey:apikey|6a79d45d50b400eb787abbeb67838854'));
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.onreadystatechange = someHandler;
xhr.send();