Before you go, check out these stories!

0
Hackernoon logoGlossary of Security Terms: CORS-Safelisted Request Header by@mozilla

Glossary of Security Terms: CORS-Safelisted Request Header

Author profile picture

@mozillaMozilla Contributors

Mozilla (stylized as moz://a) is a free software community founded in 1998 by members of Netscape.

A CORS-safelisted request header is one of the following HTTP headers:

When containing only these headers (and values that meet the additional requirements laid out below), a requests doesn't need to send a preflight request in the context of CORS.

You can safelist more headers using the

Access-Control-Allow-Headers
header and also list the above headers there to circumvent the following additional restrictions:

Additional restrictions

CORS-safelisted headers must also fulfill the following requirements in order to be a CORS-safelisted request header:

  • For
    Accept-Language
    and
    Content-Language
    : can only have values consisting of
    0-9
    ,
    A-Z
    ,
    a-z
    , space or
    *,-.;=
    .
  • For
    Accept
    and
    Content-Type
    : can't contain a CORS-unsafe request header byte:
    "():<>[email protected][\]{}
    , Delete, Tab and control characters: 0x00 to 0x19.
  • For
    Content-Type
    : needs to have a MIME type of its parsedย value (ignoring parameters) of either
    application/x-www-form-urlencoded
    ,
    multipart/form-data
    , or
    text/plain
    .
  • For any header: the valueโ€™s length can't be greater than 128.

Learn more

View Previous Terms:

Credits

Author profile picture

@mozillaMozilla Contributors

Read my stories

Mozilla (stylized as moz://a) is a free software community founded in 1998 by members of Netscape.

Tags

Join Hacker Noon

Create your free account to unlock your custom reading experience.