A CORS-safelisted request header is one of the following HTTP headers:
When containing only these headers (and values that meet the additional requirements laid out below), a requests doesn't need to send a preflight request in the context of CORS.
You can safelist more headers using the Access-Control-Allow-Headers header and also list the above headers there to circumvent the following additional restrictions:
Additional restrictions
CORS-safelisted headers must also fulfill the following requirements in order to be a CORS-safelisted request header:
- For
Accept-LanguageandContent-Language: can only have values consisting of0-9,A-Z,a-z, space or*,-.;=. - For
AcceptandContent-Type: can't contain a CORS-unsafe request header byte: 0x00-0x1F (except 0x09 (HT)),"():<>?@[\]{}, and 0x7F (DEL). - For
Content-Type: needs to have a MIME type of its parsed value (ignoring parameters) of eitherapplication/x-www-form-urlencoded,multipart/form-data, ortext/plain. - For any header: the valueβs length can't be greater than 128.