I assume we're talking CORS here?
The OPTIONS request is constructed automatically by the browser, so you won't find any ExtJS code for building it. As far as I can tell you can't put custom headers on the OPTIONS request, they'll just be moved into the Access-Control-Request-Headers.
I believe this is the relevant section of the spec:
If I'm reading it correctly it seems pretty explicit that all headers and authentication will be stripped from the original request when generating the OPTIONS request.
A little searching suggests that some IIS users have requested that the spec be altered to allow authentication on the OPTIONS request but thus far this hasn't been added to the spec or implemented in browsers.