paint-brush
Glossary of Security Terms: CORS-Safelisted Request Headerby@mozilla
374 reads
374 reads

Glossary of Security Terms: CORS-Safelisted Request Header

by Mozilla ContributorsAugust 20th, 2020
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

A CORS-safelisted request header is one of the following HTTP headers. A request doesn't need to send a preflight request in the context of CORS. The headers must meet the additional requirements laid out below. They must also fulfill the following requirements in order to be a request header: For example, the value’s length can't be greater than 128. For example: For a request, the header can't contain a header byte: Delete, Delete, Tab and control characters: 0x00 to 0x19.

Company Mentioned

Mention Thumbnail
featured image - Glossary of Security Terms: CORS-Safelisted Request Header
Mozilla Contributors HackerNoon profile picture

A CORS-safelisted request header is one of the following HTTP headers:

When containing only these headers (and values that meet the additional requirements laid out below), a requests doesn't need to send a preflight request in the context of CORS.

You can safelist more headers using the

Access-Control-Allow-Headers
header and also list the above headers there to circumvent the following additional restrictions:

Additional restrictions

CORS-safelisted headers must also fulfill the following requirements in order to be a CORS-safelisted request header:

  • For
    Accept-Language
    and
    Content-Language
    : can only have values consisting of
    0-9
    ,
    A-Z
    ,
    a-z
    , space or
    *,-.;=
    .
  • For
    Accept
    and
    Content-Type
    : can't contain a CORS-unsafe request header byte:
    "():<>?@[\]{}
    , Delete, Tab and control characters: 0x00 to 0x19.
  • For
    Content-Type
    : needs to have a MIME type of its parsed value (ignoring parameters) of either
    application/x-www-form-urlencoded
    ,
    multipart/form-data
    , or
    text/plain
    .
  • For any header: the value’s length can't be greater than 128.

Learn more

View Previous Terms:

Credits