Chose a combination of the 3 buttons above, then press MCWS Authenticate to test.

MC needs to be configured with the user/password MCCT/MCCT

Note that the only feedback is in the browser developper tools (shift-ctrl-I in Chrome). Check what happened to the authenticate operation and what the HTTP headers looked like.

If I understand correctly the specs, the 'correct' options are 'withCredentials' on and User Name and Password' on or off. If off, the browser will ask for the info itself. If on, the aplication is responsible for that.

My understanding is the OPTIONS header must not require authentication itself, and appearently should return 200 (not 401) even if authentication is enabled

There is a good flow chart on enable-cors .