without sending cookies, sessions for service-access (basic auth) are renewed on backend for each request
that causes extsource loa to be updated which then updates relevant attribute (2 audit messages for EACH request!)
this was not a problem for oidc access, because session was not renewed in case of missing cookies
withCredentials header will solve problem for renewing sessions, but requests will fail if apache configuration does not allow domain for this behavior
localhost is not supported origin, therefore we only add withCredentials header to calls from domain not coming from localhost