What is the right way to allow OPTIONS requests through with "ssl_verify_client on;"?

the CORS spec specifically prohibits credentials with preflight requests; this isn't a problem with chrome or safari because they chose to just ignore that part, but it makes it impossible to do an authenticated CORS request with firefox unless you set it to optional, which i do not want to do.

So the question is, how do i leave "ssl_verify_client on;" enabled, ONLY allowing requests without a certificate on an OPTIONS request? Also is there a place where I can submit a patch to fix nginx still requiring the certificate on an OPTIONS request? seems like something that should already be set to allow it to comply with the specs