CORS and basic authentication with cowboy and XmlHttpRequest

So this seems to be anything but straight forward so I document here for the sake of it. Note that you may not require an Authorization header for the preflight OPTIONS request, you may not set Access-Control-Allow-Origin to the wildcard in that case but to the originating domain specifically, of course Access-Control-Allow-Credentials must be set […]