I think the credentials flag should specifically affect cookies, http authentication, and client-side SSL certs, but not proxy authentication (or, obviously, Origin).
Thanks for this Maciej! I defined credentials. Also since CORS now uses HTML5 fetch too Referer behavior should be defined as well.
-- Anne van Kesteren http://annevankesteren.nl/
