Codebase Browser
chromium
Go to App

chromium/components/policy/resources/templates/policy_definitions/Network/AccessControlAllowMethodsInCORSPreflightSpecConformant.yaml 

caption: Make <ph name="ACAM_HEADER_NAME">Access-Control-Allow-Methods</ph> matching in <ph name="CORS">CORS</ph> preflight spec conformant
default: true
desc: |-
  This policy controls whether request methods are uppercased when matching with <ph name="ACAM_HEADER_NAME">Access-Control-Allow-Methods</ph> response headers in <ph name="CORS">CORS</ph> preflight.

  If the policy is Disabled, request methods are uppercased.
  This is the behavior on or before <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 108.

  If the policy is Enabled or not set, request methods are not uppercased, unless matching case-insensitively with <ph name="DELETE_METHOD_NAME">DELETE</ph>, <ph name="GET_METHOD_NAME">GET</ph>, <ph name="HEAD_METHOD_NAME">HEAD</ph>, <ph name="OPTIONS_METHOD_NAME">OPTIONS</ph>, <ph name="POST_METHOD_NAME">POST</ph>, or <ph name="PUT_METHOD_NAME">PUT</ph>.
  This would reject <ph name="REJECTED_CASE">fetch(url, {method: 'Foo'}) + "Access-Control-Allow-Methods: FOO"</ph> response header,
  and would accept <ph name="ACCEPTED_CASE">fetch(url, {method: 'Foo'}) + "Access-Control-Allow-Methods: Foo"</ph> response header.

  Note: request methods <ph name="POST_LOWERCASE_METHOD_NAME">"post"</ph> and <ph name="PUT_LOWERCASE_METHOD_NAME">"put"</ph> are not affected, while <ph name="PATCH_LOWERCASE_METHOD_NAME">"patch"</ph> is affected.

  This policy is intended to be temporary and will be removed in the future.
example_value: true
features:
  dynamic_refresh: false
  per_profile: true
future_on:
- fuchsia
items:
- caption: Do not uppercase request methods except for DELETE/GET/HEAD/OPTIONS/POST/PUT
  value: true
- caption: Always uppercase request methods
  value: false
owners:
- [email protected]
- [email protected]
schema:
  type: boolean
supported_on:
- chrome_os:109-
- chrome.*:109-
- android:109-
tags: []
type: main