Is there a reason why the following @http.route that specifically uses auth="user" does not respect the cors flag on the decorator?

@http.route('/web/session/modules', type='json', auth="user", cors="*")

I've skimmed through the code for the decorator itself, and can not see a reason why the combination of auth="user" and cors would invalidate the cors functionality of the decorator.

Can anyone explain?