The W3C CORS spec clearly states in Step 2:
If the response has an HTTP status code of 301, 302, 303, 307, or 308
Apply the cache and network error steps.
I think that this measure has been added to mitigate security risks. However, I am unable to find a source detailing what exactly the security ramifications of allowing redirects will be.
Questions about how to circumvent this issue have been asked before. I am looking for an explanation of why was this clause included in the specification in the first place, like the following questions:
CORS - What is the motivation behind introducing preflight requests?
Why does a cross-origin HEAD request need a preflight check?
From the WHATWG mailing list:
Mostly because with preflight fetches everything gets more complicated. We did leave the door open to potentially allow this at some point, provided we figure out a sane protocol, but left it out initially for simplicity.