HTTP authentication doesn't work with bookmarklet

[rjorgenson]

CORS rejects the request when HTTP auth credentials are used via url (https://user:[email protected]). There is a header that should allow this https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials but I haven't been able to test this. Alternatively setting the authentication via headers is possible with xhr.setRequestHeader('Authorization', 'Basic <BASE64_ENCODED_AUTH>'); in the bookmarklet (after the request is opened) but this also results in a CORS error.

Access to XMLHttpRequest at 'https://__URL__/add' from origin 'https://www.youtube.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

It seems that either method requires the Access-Control-Allow-Credentials header to be set to true. The basic auth request does work via curl with the header and the username password when not doing a cross site request.