Glossary of Security Terms: CORS-Safelisted Request Header

August 20th 2020

@mozillaMozilla Contributors

Mozilla (stylized as moz://a) is a free software community founded in 1998 by members of Netscape.

A CORS-safelisted request header is one of the following HTTP headers:

When containing only these headers (and values that meet the additional requirements laid out below), a requests doesn't need to send a preflight request in the context of CORS.

You can safelist more headers using the

Access-Control-Allow-Headers

header and also list the above headers there to circumvent the following additional restrictions:

Additional restrictions

CORS-safelisted headers must also fulfill the following requirements in order to be a CORS-safelisted request header:

For
```
Accept-Language
```
and
```
Content-Language
```
: can only have values consisting of
```
0-9
```
,
```
A-Z
```
,
```
a-z
```
, space or
```
*,-.;=
```
.
For
```
Accept
```
and
```
Content-Type
```
: can't contain a CORS-unsafe request header byte:
```
"():<>?@[\]{}
```
, Delete, Tab and control characters: 0x00 to 0x19.
For
```
Content-Type
```
: needs to have a MIME type of its parsed value (ignoring parameters) of either
```
application/x-www-form-urlencoded
```
,
```
multipart/form-data
```
, or
```
text/plain
```
.
For any header: the value’s length can't be greater than 128.

Learn more

View Previous Terms:

Block cipher mode of operation

Credits

Source: https://developer.mozilla.org/en-US/docs/Glossary/CORS-safelisted_request_header
Published under Open CC Attribution ShareAlike 3.0 license

Glossary of Security Terms: CORS-Safelisted Request Header

@mozillaMozilla Contributors

Learn more

View Previous Terms:

Credits

Tags