Added Access-Control headers if CORS is enabled

[jcchalte]

First PR here, let's hope I do it well :)

Without setting withCredentials to true on javascript XHR, CORS is disabled. I added that in the relevant part of the code.

But there is something strange as

• the containing "if" part already refers to the "withCredential" field
• Another part of the code already reference this, but in a commented line

By reading the code, I suspect that maybe the developer knew but removed references to withCredential for a purpose. Maybe I am missing something here but the MDN article on withCredential does not indicate any side-effect.

https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials

[janhommes]

Looks good for me -> merge. Don't remember why it was left out...