S>There’s an interesting twist to this discussion of credentials and authentication. The description up to this point has been for the scenario where the browser is implicitly sending credentials. It’s possible for a JavaScript client to explicitly send credentials (again, typically via the Authorization header). If this is the case, then none of the aforementioned rules or behaviors related to credentials applies.

S>For this scenario, the client would explicitly set the Authorization header on the request and wouldn’t need to set withCredentials on the XMLHttpRequest. This header would trigger a preflight request and the server would need to allow the Authorization header with the Access-Control-Allow-Headers CORS response header. Also, the server wouldn’t need to issue the Access-Control-­Allow-Credentials CORS response header.

S>Here’s what that client code would look like to explicitly set the Authorization header:

S>$.ajax({
S>  url: "http://localhost/WebApiCorsServer/Resources/1",
S>  headers: {
S>    "Authorization": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3Mi..."
S>  }
S>  // Other settings omitted
S>});
S>

S>OPTIONS http://localhost/WebApiCorsServer/Resources/1 HTTP/1.1
S>Host: localhost
S>Access-Control-Request-Method: GET
S>Origin: http://localhost:55912
S>Access-Control-Request-Headers: authorization
S>Accept: */*
S>

S>HTTP/1.1 200 OK
S>Access-Control-Allow-Origin: *
S>Access-Control-Allow-Headers: authorization
S>