Does setting the Authorization header for a POST cross-domain request always require a preflight?
Does setting the Authorization header for a POST cross-domain request always require a preflight?
I was surprised recently to learn that when I set the Authorization header, my POST requests are getting preflighted. I had always assumed that the Authorization header would be exempted because of its ubiquity.
Authorization
POST
Authorization
Is it true that the Authorization header is not special with respect to CORS, and therefore whenever you set the Authorization header, the browser must preflight?
Authorization
Authorization
1 Answer
1
Yes, it’s true that whenever you add the Authorization header to a request, it triggers a preflight in browsers. That’s because Authorization isn’t defined as a CORS safelisted request-header.
Authorization
Authorization
The list of CORS safelisted request-headers is quite short; it’s just Accept, Accept-Language, Content-Language, Content-Type, DPR, Downlink, Save-Data, Viewport-Width, Width.
Accept
Accept-Language
Content-Language
Content-Type
DPR
Downlink
Save-Data
Viewport-Width
Width
Any header added to a request that’s not in that list will trigger browsers to do a preflight.
See https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Preflighted_requests.
Thanks for contributing an answer to Stack Overflow!
But avoid …
To learn more, see our tips on writing great answers.
Required, but never shown
Required, but never shown
By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.
Thanks for the reference to the CORS safelisted request-headers.
– tacos_tacos_tacos
Sep 14 '18 at 19:54