Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I know which access-control-allow-headers to allow for CORS?

Tags:

http-headers

cors

Given these request headers:

Host: api.example.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Origin: https://web.example.org
Access-Control-Request-Method: GET
Access-Control-Request-Headers: authorization
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

And these response headers:

Connection: keep-alive
Content-Length: 0
Content-Type: text/plain; charset=utf-8
Date: Tue, 13 Oct 2015 10:57:34 GMT
Server: nginx/1.8.0
access-control-allow-headers: Authorization, Content-Type
access-control-allow-methods: PUT, DELETE, PATCH
access-control-allow-origin: *

This works even though only the Authorization and Content-Type headers are explicitly allowed. Why didn't I have to allow other headers that my browser sends? (like DNT for example)

Update: this MDN page contains an overview of simple headers (default CORS-safelisted request headers):

A simple header (or CORS-safelisted request header) is one of the following HTTP headers:

  • Accept
  • Accept-Language
  • Content-Language
  • Content-Type with a MIME type of its parsed value (ignoring parameters) of either application/x-www-form-urlencoded, multipart/form-data, or text/plain.

Or one of these client hint headers:

  • DPR
  • Downlink
  • Save-Data
  • Viewport-Width
  • Width
like image 766
Blaise Avatar asked Oct 13 '15 11:10

Blaise

1 Answers

Without seeing your code to generate the headers, or on which system you are serving from, i.e. nginx or apache, the best I can do is refer you to http://client.cors-api.appspot.com/client which will allow you to test your CORS requests. Also, you should look at http://enable-cors.org/server.html for your specific setup. For instance on nginx, you could have something like this

add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

There is a set of normal headers, and then the set of headers that you have to explicitly call out. see http://www.html5rocks.com/en/tutorials/cors/#toc-adding-cors-support-to-the-server about setting it up on a server.

like image 164
irnmn Avatar answered Dec 21 '22 19:12

irnmn
Sign in to Comment

Related questions

Timezone for Expires and Last-Modified HTTP Headers
How to get only the response code from a HTTP Request in Ruby
how to send image to server with http.post in javascript and store base64 in mongodb
in IE, the "X-Requested-With" header of jquery becomes "x-requested-with" (lowercase)
What is the current state of the Cookie2 specification?
Set Apache headers conditionally
Play 2.0.1 and setting Access-Control-Allow-Origin
How to use Basic HTTP Auth with REST webservice (Java+Jersey)?
response header VS meta tag
Differentiating Between an AJAX Call / Browser Request
Laravel $request->expectsJson()
How to get response headers when using Alamofire in Swift?
Swift: HTTP request with parameters in header
How to set and retrieve cookie in HTTP header in Python?
Adding headers in ASP.NET MVC 3
Send Post request along with HttpHeaders on Android
How to add HTTP header to URL
Can you modify http request headers in a Safari extension?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!