A CORS non-wildcard request header[1] is an HTTP request header which is not covered by the wildcard symbol ("*") in the access-control-allow-headers header. "authorization" is the only member of CORS non-wildcard request-header. Currently we treat the header as a usual header, which is problematic for security reasons. Implement it, and change the current behavior. 1: https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name

Motivation

To improve security. With the current behavior, a malicious web site can use stolen/guessed authentication data easily.

Specification

Specification link


Unknown standards status - check spec link for status

Status in Chromium

Blink>SecurityFeature>CORS


In development (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Positive
  • Positive
  • No signals

Owner

Comments

Authorization headers the user-agent attaches (as part of the authentication process) is out of scope. This is about headers scripts attach.

Last updated on 2021-12-01