Ajax CORS Request with http 401 in preflight

UPDATE Looks like I was not right. Authorization header is never sent for OPTIONS request. Please see comment by sideshowbarker - you need to make sure that your server doesn't respond with 401 to OPTIONS request.

I don't know what language is your server written in, but you implemented authorization in the wrong way - OPTIONS method should be excluded from auth. Also see here - OPTIONS request authentication

Below is obsolete answer:

Your serverside requires HTTP Basic authentication for this request. And you don't provide credentials. 401 error has nothing to do with CORS; it just means that the server chose to not authorize your request because you didn't provide auth credentials.

If you try to open this url (like https://dev.radbonus.com/admin/affiliate-connections/retrieveSingle/1.json) directly in browser, you will be asked to enter login&password, which is how the browser handles 401 error with WWW-Authenticate header.

Please notice that Authorization header is actually not included with your request. So instead of using beforeSend hook, you should probably just include header directly in your call:

headers: {
    'Authorization': 'Basic ' + btoa(username+':'+password),
},

And make sure that Authorization header presents in your request.

Browsers make a Pre-flight request with method - OPTIONS, with the header names(only) you will be sending for actual request, before the actual GET/POST/PUT method. That is why your Pre-flight request headers looks like this,

**Access-Control-Request-Headers:authorization,content-type**

Now, in your Server, you should return HTTP_STATUS.OK - 200, for the OPTIONS request. If it returns any other status, then your actual request won't be made to server.

Here is a Good reading on CORS. https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

I've faced this same issue recently and fixed by returning, 200 for the OPTIONS method in my Servlet Filter(SpringBoot).