I concur with @Dave. Also I coded the (one-liner) change to append the Authorization header to the allowed CORS list faster than he could add it to the backlog. 
It will be effective next time we deploy the Cloud, probably after @Dave’s back from China.
Re the fact that the Authorization header works with curl—CORS is only enforced by browsers. It’s not an intrinsic part of the API, other than stating in headers what we want the browsers to allow. I guess one could view curl as a browser that arguably ought to enforce CORS, but I would personally hate that, and I think lots of other folks would too. 