I think I have a solution
Webcore sents a method "OPTIONS" before the get.
The web server does not expect this method request and sent a 401 back.
I patched the source of the web server by sending a 204 back on the "OPTIONS" method.
After that everything works.
So nothing to do with CORS.