Authentication policy returning 401 on cors OPTIONS call

I am using the alpha1 Authentication policy on istio 4.6 and it is not letting pass the OPTIONS call for preflight. The policy is applied on the service, is this the way it should be?

If it is how can make the policy ignore the OPTIONS cors call to let the request reach the service?

@YangminZhu I remembered you did a CORS Preflight change a while ago. This is 1.4.7. Does customer need to tweak a bit to opt-in the CORS prelight support?

I have seen this pull request . But it doesn’t seems to be working.

Do you have the policy yaml and the HTTP request to reproduce the issue?