A is one of the following : CORS-safelisted request header HTTP headers , Accept , Accept-Language , Content-Language Content-Type . When containing only these headers (and values that meet the additional requirements laid out below), a requests doesn't need to send a in the context of . preflight request CORS You can safelist more headers using the header and also list the above headers there to circumvent the following additional restrictions: Access-Control-Allow-Headers CORS-safelisted headers must also fulfill the following requirements in order to be a CORS-safelisted request header: Additional restrictions For and : can only have values consisting of , , , space or . Accept-Language Content-Language 0-9 A-Z a-z *,-.;= For and : can't contain a : , Delete, Tab and control characters: 0x00 to 0x19. Accept Content-Type CORS-unsafe request header byte "():<>?@[\]{} For : needs to have a MIME type of its parsed value (ignoring parameters) of either , , or . Content-Type application/x-www-form-urlencoded multipart/form-data text/plain For any header: the value’s length can't be greater than 128. Learn more CORS-safelisted response header Forbidden header name Request header View Previous Terms: Block cipher mode of operation Certificate authority Challenge-response authentication Cipher Cipher suite Ciphertext CORS CORS-safelisted response header Cross-site scripting Cryptanalysis Cryptographic hash function Cryptography CSP CSRF Decryption Digital certificate DTLS (Datagram Transport Layer Security) Encryption Forbidden header name Forbidden response header name Hash HMAC HPKP HSTS HTTPS Key MitM OWASP Preflight request Public-key cryptography Reporting directive Robots.txt Same-origin policy Session Hijacking SQL Injection Symmetric-key cryptography TOFU Transport Layer Security (TLS) Credits Source: https://developer.mozilla.org/en-US/docs/Glossary/CORS-safelisted_request_header Published under license Open CC Attribution ShareAlike 3.0

Mozilla

Read My Stories

Too Long; Didn't Read

Questions about cloud security? Get answers here.

Glossary of Security Terms: CORS-Safelisted Request Header

Too Long; Didn't Read

Company Mentioned

Mozilla Contributors

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Glossary of Security Terms: CORS-Safelisted Request Header

Too Long; Didn't Read

Company Mentioned

Mozilla Contributors

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES