Steps to reproduce:

1. Create an application link for the origin URL where you are making the 'request from' in the target OnDemand instance (example: http://client.cors-api.appspot.com/client)
2. In your origin server, use this code to send the request:

   var createCORSRequest = function(method, url) {
     var xhr = new XMLHttpRequest();
     if ("withCredentials" in xhr) {
       // Most browsers.
       xhr.open(method, url, true);
     } else if (typeof XDomainRequest != "undefined") {
       // IE8 & IE9
       xhr = new XDomainRequest();
       xhr.open(method, url);
     } else {
       // CORS not supported.
       xhr = null;
     }
     return xhr;
   };
   
   var url = 'https://safi.jira-dev.com/rest/api/2/issue/TEST-1';
   var method = 'GET';
   var xhr = createCORSRequest(method, url);
   
   xhr.onload = function() {
     // Success code goes here.
   };
   
   xhr.onerror = function() {
     // Error code goes here.
   };
   
   xhr.withCredentials = true;
   xhr.setRequestHeader('Access-Control-Allow-Credentials', 'true');
   xhr.send();
   

   Whereby the var url is the origin host.

1. Or you can use http://client.cors-api.appspot.com/client to send the requests but you need to put the following options:

• HTTP Method: GET
• With credentials?: True
• Request Headers: Access-Control-Allow-Credentials: true
• Remote URL: origin URL

Actual Results
The results return with empty response or with '0' depends on your browser. If you are using http://client.cors-api.appspot.com/client, this response you will get:

Sending GET request to https://safi.jira-dev.com/rest/api/2/issue/TEST-1
, with credentials, with custom headers: Access-Control-Allow-Credentials
Fired XHR event: loadstart
Fired XHR event: readystatechange
Fired XHR event: error

XHR status: 0
XHR status text: 
Fired XHR event: loadend