CORS Headers problems

Hello,

I have a very strange problem, only on safari.

I have set up cross-origin access on my api, and it doesn't only work on safari. More exactly, if during the call I do not pass headers, it works:

fetch('https://api.myapp.com/api/safari-test')

200 OK

Access-Control-Allow-Methods: GET,OPTIONS
Access-Control-Allow-Origin: https://www.myapp.com
Access-Control-Allow-Headers: Accept,Accept-Encoding,Accept-Language,Access-Control-Request-Header,Access-Control-Request-Method,Authorization,Cache-Control,Connection,Content-Type,DNT,Host,If-Modified-Since,Keep-Alive,Origin,Pragma,Referer,User-Agent,x-csrf-token,x-requested-with

Content-Type: application/json; charset=UTF-8
Content-Encoding: gzip
Date: Thu, 23 Sep 2021 16:32:00 GMT
Vary: Accept-Encoding, Origin
Server: nginx

But if I pass headers, it doesn't work anymore:

fetch('https://api.myapp.com/api/safari-test', {
    method: 'GET',
    headers: new Headers({
         'Authorization' : 'Bearer ...'
    }),
    mode: 'cors',
    cache: 'default'
})

[err] Fetch API cannot load https://api.myapp.com/api/safari-test due to access control checks.

I don't understand why, all the necessary headers are transmitted. Here is my nginx configuration:

location ~ ^/api/safari-test {
    set $cors '';

    if ($http_origin ~ ^(https?:\/\/www\.myapp\.com)$) {
        set $cors 'true';
    }
    if ($request_method = 'OPTIONS') {
        set $cors "${cors}options";
    }
    if ($request_method = 'GET') {
        set $cors "${cors}get";
    }
    if ($cors = "true") { 
        add_header 'Access-Control-Allow-Origin' "$http_origin" always; 
        add_header 'Vary' Origin always; 
    }
    
    if ($cors = "trueget") {
        add_header 'Access-Control-Allow-Origin' "$http_origin" always;
        add_header 'Access-Control-Allow-Methods' 'GET,OPTIONS' always;
        add_header 'Access-Control-Allow-Headers' 'Accept,Accept-Encoding,Accept-Language,Access-Control-Request-Header,Access-Control-Request-Method,Authorization,Cache-Control,Connection,Content-Type,DNT,Host,If-Modified-Since,Keep-Alive,Origin,Pragma,Referer,User-Agent,x-csrf-token,x-requested-with' always;
        add_header 'Vary' Origin always;
    }
    if ($cors = "trueoptions") { 
        add_header 'Connection' 'keep-alive' always; 
        add_header 'Access-Control-Allow-Origin' "$http_origin" always; 
        add_header 'Access-Control-Allow-Methods' 'GET,OPTIONS' always; 
        add_header 'Access-Control-Allow-Headers' 'Accept,Accept-Encoding,Accept-Language,Access-Control-Request-Header,Access-Control-Request-Method,Authorization,Cache-Control,Connection,Content-Type,DNT,Host,If-Modified-Since,Keep-Alive,Origin,Pragma,Referer,User-Agent,x-csrf-token,x-requested-with' always; 
    
        add_header 'Access-Control-Max-Age' 3600 always; 
        add_header 'Content-Type' 'text/plain charset=UTF-8' always; 
        add_header 'Content-Length' 0 always; 
        add_header 'Vary' Origin always; 
    
        return 204; 
    }

    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    
    fastcgi_read_timeout 60s;
    fastcgi_pass unix:/run/php/php7.3-fpm.sock; 
    fastcgi_index micro.php; 
    fastcgi_param APP_ENV production; 
    include fastcgi_params; 
    fastcgi_param SCRIPT_FILENAME $document_root/micro.php; 
    fastcgi_param SCRIPT_NAME     micro.php;
}

Thanks to anyone for an idea for a solution !!!