After two hours trying to make nginx serve a CORS for a 401 status code, i found the solution and wanted to share it here.
Says that the "add_header" option only work for status:
200, 201, 204, 206, 301, 302, 303, 304 or 307
But you can bypass all the http status restriction by passing a third parameter to the add_header with the constant "always". That way, it will add the header, all the time, with any state.
So in my case, my header end up like this:
add_header 'Access-Control-Allow-Origin' * always;
Notice the always at the end of the value? That did the trick for me, and just wanted to share it.