When authentication at the REST server side is disabled (.htaccess/.htpasswd deleted), the component works! So, no CORS issue. BUT, as soon as I put something in either User/Password of the component or add the authentication header like Con.Headers.Values['Authorization'] := 'Basic YXBpdXNlcjp0cmFsbGFsYQ==';, the request does indeed run into that dreaded "blocked by CORS" error.
So the question now changes to:
Why do I have no CORS problem when I do not enter any credentials in the component and why do I have a CORS problem when I do enter something?