I just learned about the Access-Control-Allow-Methods header, e.g.
Access-Control-Allow-Methods: OPTIONS, HEAD, GET
I have never used this header (just Access-Control-Allow-Origin), but I have gotten CORS to work in the past.
Is the default to allow all methods, or have I gotten lucky with undefined behavior?
The Access-Control-Allow-Methods header indicates which HTTP methods are allowed on a particular endpoint for cross-origin requests. If you allow all HTTP methods, then its ok to set the value to something like Access-Control-Allow-Methods: GET, PUT, POST, DELETE, HEAD. However, if you want to limit the endpoint to only a few methods, you should only include those methods.
As to why you haven't been seeing this before, this header is only used on CORS preflight requests. Maybe your application didn't use CORS preflight, and then something changed to trigger a preflight. Does your application use any HTTP methods other than GET/POST, or any custom HTTP headers?
You can learn more about CORS preflight requests here: http://www.html5rocks.com/en/tutorials/cors/