Current defaults:

// List the hosts and ports which will be allowed to make cross-origin requests, 
// separated by commas (* by default).
context.initParameters("org.scalatra.cors.allowedOrigins") = "*"
// By default, cookies are not included in CORS requests. Set this to `true` to allow cookies.
context.initParameters("org.scalatra.cors.allowCredentials") = true

The browser will block all the cross-domain request with these settings because allowedOrigins may not be a wildcard when allowCredentials is true. Based on CORS documentation, which states:

Credentialed requests and wildcards
When responding to a credentialed request, the server must specify an origin in the value of the Access-Control-Allow-Origin header, instead of specifying the "*" wildcard.

scalatra-website has been updated to reflect this behavior in the documentation (scalatra/scalatra-website#181), but it would be better to change the default which is effectively broken.

Suggested new default:

context.initParameters("org.scalatra.cors.allowCredentials") = false

With this default setting, CORS works as expected out of the box with a wildcard for allowedOrigins.