Cross-Origin Resource Sharing
All resources support Cross-Origin Resource Sharing (CORS). Note that Access-Control-Allow-Credentials: is not set true, to prevent CSRF attacks. Cross-origin applications can send the Authorization: Handle header which is constructed by the application rather than the browser.