tyoshino@ already left the project, but I think we still have this problem, credentials are leaked on CORS redirects, and it violates the CORS spec.
Redirect targets were controlled by the server owner. So this wasn't a serious problem, but...
This will be an issue that the OOR-CORS project can help to fix it easily.
Comment 1 by tyoshino@chromium.org
, Sep 13 2016