ryan_cors.js

var bunyan = require('bunyan');
var restify = require('restify');

var server = restify.createServer({
        log: bunyan.createLogger({
                name: 'restify',
                stream: process.stdout,
                level: process.env.LOG_LEVEL || 'info',
                serializers: restify.bunyan.serializers
        })
});

server.pre(restify.pre.sanitizePath());
server.use(restify.CORS());

server.get('/venues/:id', function (req, res, next) {
        res.json({
                venue: {
                        id: req.params.id
                }
        });
        next();
});

server.post('/venues/:id', function (req, res, next) {
        res.json(201, {
                venue: {
                        id: req.params.id
                }
        });
        next();
});

server.del('/venues/:id', function (req, res, next) {
        res.send(204);
        next();
});

server.listen(8080, function () {
        console.log('ready');
});

thanks mark, I have been doing some additional work to troubleshoot this. I'm not sure what I'm doing wrong yet. After implementing your changes, it is actually allowing GET, DELETE - but not POST now. I know it is something I'm doing as I ran your example at the top and it worked fine for me.

here are what I think the critical pieces are:

///////////////////
//server.js
///////////////////
var server = restify.createServer({
log: bunyan.createLogger({
name: 'restify',
stream: process.stdout,
level: process.env.LOG_LEVEL || 'info',
serializers: restify.bunyan.serializers
})
});

server.pre(restify.pre.sanitizePath());
server.use(restify.CORS());
server.use(restify.acceptParser(server.acceptable));
server.use(restify.queryParser());
server.use(restify.bodyParser());
server.use(restify.authorizationParser());
....
// venue methods
server.get('/venues', venues.findAll);
server.get('/venues/:id', venues.findById);
server.post('/venues', venues.addVenue);
server.del('/venues/:id', venues.deleteById);

server.listen(3000, function() {
console.log('%s listening at %s', server.name, server.url);
});

///////////////////
//venues.js
///////////////////
exports.addVenue = function(req, res, next) {
var v = req.params;

venueExists(v, function(exists) {
if (exists) {
res.send(new restify.ConflictError("Venue already exists"));
next();
} else {
var venue = new Venue({
_id : string(v.name).slugify().s, // need to replace space with - and make lowercase
name : v.name,
description : v.description,
isActive : v.isActive,
siteUrl : v.siteUrl,
market : string(v.market).slugify().s, // key to Market.js
address : v.address, // array of objects (AddressSchema)
contacts : v.contacts, // array of objects (ContactSchema)
privateNotes : v.privateNotes,
comments : v.comments,
logo : v.logo,
images : v.images
});

     venue.save(function (err) {
        if (!err) {
          res.send(201, venue);
          next();
        } else {
          res.send(err);
          next();
        }
      });
    }

});
}

/////////////
stack traces
////////////
$ curl -isS http://127.0.0.1:3000/venues/foo -X OPTIONS -H 'origin: foo.com' -H 'access-control-request-method: POST'
HTTP/1.1 405 Method Not Allowed
Allow: GET, DELETE
Content-Type: application/json
Content-Length: 67
Date: Fri, 08 Feb 2013 17:07:40 GMT
Connection: keep-alive

{"code":"MethodNotAllowedError","message":"OPTIONS is not allowed"}

$ curl -isS http://127.0.0.1:3000/venues/foo -X OPTIONS -H 'origin: foo.com' -H 'access-control-request-method: DELETE'
HTTP/1.1 200 OK
Allow: GET, DELETE
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, DELETE
Access-Control-Allow-Headers: accept-version, content-type, request-id, x-api-version, x-request-id
Access-Control-Max-Age: 3600
Date: Fri, 08 Feb 2013 17:03:44 GMT
Connection: keep-alive
Transfer-Encoding: chunked