CORS non-wildcard request-header - Chrome Platform Status

Feature: CORS non-wildcard request-header

A CORS non-wildcard request header[1] is an HTTP request header which is not covered by the wildcard symbol ("*") in the access-control-allow-headers header. "authorization" is the only member of CORS non-wildcard request-header. Currently we treat the header as a usual header, which is problematic for security reasons. Implement it, and change the current behavior. 1: https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name

Motivation

To improve security. With the current behavior, a malicious web site can use stolen/guessed authentication data easily.

Specification

Specification link

Status: Unknown standards status - check spec link for status

Status in Chromium

Blink components: Blink>SecurityFeature>CORS

Implementation status: In development (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Firefox: Positive
Safari: Positive
Web Developers: No signals

Owner

yhirano@chromium.org

Comments

Authorization headers the user-agent attaches (as part of the authentication process) is out of scope. This is about headers scripts attach.

Last updated on 2021-12-01