This came up on StackOverflow: http://stackoverflow.com/questions/9830436/why-does-chrome-send-user-credentials-with-preflighed-cors-request It looks like the logic in DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight is conforming to an earlier version of the standard, and potentially allowing cookies in the preflight request: void DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight(const ResourceRequest& request) { ResourceRequest preflightRequest = createAccessControlPreflightRequest(request, securityOrigin(), m_options.allowCredentials); loadRequest(preflightRequest, DoSecurityCheck); } The 'createAccessControlPreflightRequest' method shouldn't have that last parameter.
*** This bug has been marked as a duplicate of bug 37676 ***