Hey @peternijem,
Sorry you're having a hard time with cross-origin requests to Kibana.
I see in the HAR file that you're making a request to POST http://10.100.0.207:5604/_security/user/peteruser.
Is this your Kibana endpoint? If so, the API to create a user in 7.5 is /api/security/v1/users/{username} (source link).
I also see a request to http://10.100.0.207:5604/api/features, which is returning a 404. Do you have security enabled for Kibana? If so, what user are you authenticating with? If the user does not have sufficient privileges (effectively the kibana_user role), then this endpoint can return a 404.
I know you tried a lot of config combinations. Does the following help any?
server.cors: true
# do not set server.cors.origin
server.xsrf.disableProtection: true