User-agent-controlled credentials are only included for matching requests, but developer-controlled credentials will be copied from request to request.

There's a proposal to scope a developer-controlled Authorization header to the origin of the initial request. (If you use other headers to carry credentials you are out of luck.)

This might be reasonably compatible as Authorization is a header that requires a preflight (and does not allow wildcards) and redirects for preflights were not followed until recently.

What's needed to move this forward:

• Implementers need to be interested.
• Tests need to be written to ensure it's dropped at the appropriate time (and other headers are not).
• The specification needs to be updated to account for this. Perhaps by reusing https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name somehow.

cc @whatwg/security