caption: CORS non-wildcard request headers support
default: true
desc: |-
Configures support of CORS non-wildcard request headers.
<ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 97 introduces support for CORS non-wildcard request headers. When scripts make a cross-origin network request via fetch() and XMLHttpRequest with a script-added Authorization header, the header must be explicitly allowed by the Access-Control-Allow-Headers header in the CORS preflight response. "Explicitly" here means that the wild card symbol "*" doesn't cover the Authorization header. See <ph name="CORS_NON_WILDCARD_REQUEST_HEADERS_FEATURE_URL">https://chromestatus.com/feature/5742041264816128</ph> for more detail.
If this policy is not set, or set to True, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will support the CORS non-wildcard request headers and behave as described above.
When this policy is set to False, chrome will allow the wildcard symbol ("*") in the Access-Control-Allow-Headers header in the CORS preflight response to cover the Authorization header.
This Enterprise policy is temporary; it's intended to be removed in the future.
example_value: true
features:
dynamic_refresh: true
per_profile: true
future_on:
- fuchsia
items:
- caption: Support CORS non-wildcard request headers.
value: true
- caption: Do not support CORS non-wildcard request headers.
value: false
owners:
- [email protected]
schema:
type: boolean
supported_on:
- chrome.*:97-
- chrome_os:97-
- android:97-
tags: []
type: main
Codebase Browser
chromium