The problem actually was with my understanding of the CORS policy. When i make a PATCH the browser makes an OPTIONS to check if i can use the PATCH method, and even if i answer this OPTIONS request saying that i accept the PATCH method, when i receive the actual PATCH request i must again answer this request saying that i allow the PATCH request, otherwise the browser will not allow me to use the answer given by my server.