True. If the original code (http://www.clevelanddata.com/lms/api.html) used to work, it now only works with the if I disable web security in chrome. This suggests to me, that the CORS implementation, is lacking during the preflight checks - but accept I could be wrong and missing the point.
I am planning for the website to be secured by other means and use https. Currently, for development purposes, it is not exposed beyond localhost.
In addition, I would put the credentials in the 'authorization' headers. I appreciate this is only marginally better than having them exposed in the URL.