Rephrased from original question
I have a GET request that is calling my OData DataService.
Now, when the request is made i see the following error in the network debugger:
HTTP OPTIONS 401 Unauthorized text/html
Indeed i do see that the Access-Control headers are all there as expected:
Access-Control-Allow-Headers: content-type, accept
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Origin: http://mydomain:port
Now despite what seems all correct, i still see the error as mentioned above (401 Unauthorized error during the pre-flight OPTIONS request).
What am i doing wrong here?
A 401 Unauthorized error has nothing (directly) to do with CORS at all.
The browser is making the OPTIONS request, the server is saying that it isn't allowed to (at all; not just from JavaScript).
The fact the CORS headers are also sent in the response is irrelevant: a requirement of CORS is that the preflight response is 200 OK.
What is probably happening is that you have an API which requires authentication. Maybe a username and password. Maybe a cookie. Maybe something else. It's your API, you should know.
The browser will not send those credentials in the preflight request.
You need to configure the server so that the credentials are not required for an OPTIONS request.