CORS and the _method parameter

Our site has CORS set up to allow “simple requests”, i.e. the GET/POST/HEAD http methods. However I was recently made aware that the _method parameter exists and its interaction with CORS to basically allow anyone to make any type of request if they know what they’re doing.

At this point I might as well relax CORS and allow everything without workarounds. Is there something I’m missing to properly implement the CORS restrictions I want?