In

class: com.gargoylesoftware.htmlunit.javascript.host.xml.XMLHttpRequest
method: isPreflightAuthorized

When checking for preflight headers, it's assumed that there would be a single Access-Control-Allow-Headers, with comma-delimited values. However, the particular website we're operating against, returns multiple instances of Access-Control-Allow-Headers. As such, this causes to only the first instance be retrieved, and preventing the second httpRequest from being made:

XMLHttpRequest.doSend() {
     
     /*
     * isPreflightAuthorized returns false
     */
     if (!preflightResponse.isSuccessOrUseProxyOrNotModified()
                || !isPreflightAuthorized(preflightResponse))  {
            ...
            return
     }
     
    //execute second httpRequest
}

XMLHttpRequest.isPreflightAuthorized(..) {
   ...
  
       /*
        * headersHeader is expected to be a single value, with comma-delimited tokens
        */
       if (isPreflightHeader(key, header.getValue()) && !headersHeader.contains(key) ) {
                return false;
        }
   ...
}

It's worth noting that this website works just fine in browsers such as Chrome, Firefox, Safari

SOLUTION
What should be done is

1. Iterate through all the headers looking for Access-Control-Allow-Headers, and extracting all the tokens delimited by a comma (,)
2. Add all tokens to a Set
3. Verify the header name/key is contained within the afore-mentioned Set