CORS needs a preflight request when a password is defined on Shelly.
In that request (automatically done by the browser) no custom headers are sent, so we can't authenticate to Shelly.
A request of OPTIONS method should not require authentication in order for CORS to work properly.
What is the best way to send this info to the firmware developers?