For some obscure reason, when the CORS filter is enabled in web.xml, the XUI starts misbehaving (even though the XUI has the same origin as the REST API), i.e. instead of rendering the page it displays an error message. I expect that this misbehavior can be corrected by adding all required headers in Allow-Headers headers in the CORS filter.
It should be determined why the CORS filter affects the XUI at all.
For cases when users want to use the XUI on a different origin (if that even makes sense), the documentation should list the necessary CORS filter options required to make the XUI work without any issues.
Add the following to your tomcat/.../conf/web.xml file and restart tomcat.