When a browser uses the "withCredentials" flag (not visible in HTTP request headers), it accepts the response only if the "Access-Control-Allow-Credentials" header returned by the server is set to "true".
That header is not part of Camel standard cors headers, but it can be set in the route. The problem is that when "Access-Control-Allow-Credentials" is set to "true", the "Access-Control-Allow-Origin" header cannot be set to "*", which is our default (https://www.w3.org/TR/cors/ - section 6.1, point 3).
Setting a value for the "Access-Control-Allow-Origin" header equals to the "Origin" header of the request makes the trick, but this must be set per-route, and CORS must be disabled.
Otherwise the only option is setting a fixed allowed origin if you know it in advance.
I wonder if we should add e.g. a ".corsAllowCredentials(boolean)" configuration to handle this situation correctly, or another flag to reflect the origin instead of returning "*".