A CORS non-wildcard request header[1] is an HTTP request header which is not covered by the wildcard symbol ("*") in the access-control-allow-headers header. "authorization" is the only member of CORS non-wildcard request-header. Currently we treat the header as a usual header, which is problematic for security reasons. Implement it, and change the current behavior. 1: https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name
Motivation
To improve security. With the current behavior, a malicious web site can use stolen/guessed authentication data easily.
Specification
Unknown standards status - check spec link for status
Status in Chromium
In development
(tracking bug)
Consensus & Standardization
- Positive
- Positive
- No signals
Owner
Last updated on 2022-04-09
Comments
Authorization headers the user-agent attaches (as part of the authentication process) is out of scope. This is about headers scripts attach.