CORS-safelisted request header
A CORS-safelisted request header (also known as "simple header") is one of the following HTTP headers:
When containing only these headers (and values that meet the additional requirements laid out below), a request doesn't need to send a preflight request in the context of CORS.
You can safelist more headers using the Access-Control-Allow-Headers
header and also list the above headers there to circumvent the following additional restrictions.
Additional restrictions
CORS-safelisted headers must also fulfill the following requirements in order to be a CORS-safelisted request header:
Accept-Language
andContent-Language
can only have values consisting of0-9
,A-Z
,a-z
, space or*,-.;=
.Accept
andContent-Type
can't contain a CORS-unsafe request header byte:0x00-0x1F
(except for0x09 (HT)
, which is allowed),"():<>?@[\]{}
, and0x7F (DEL)
.Content-Type
needs to have a MIME type of its parsed value (ignoring parameters) of eitherapplication/x-www-form-urlencoded
,multipart/form-data
, ortext/plain
.Range
needs to have a value of a single byte range in the form ofbytes=[0-9]+-[0-9]*
. See theRange
header documentation for more details.- For any header: the value's length can't be greater than 128.
See also
- Related glossary terms: