CORS Access-Control-Allow-Headers wildcard being ignored

Question

I am having trouble getting a cross domain CORS request to work correctly using Chrome    Request Headers   Accept     Accept-Charset ISO-8859-1 utf-8 q 0 7   q 0 3 Accept-Encoding gzip deflate sdch Accept-Language en-US en q 0 8 Access-Control-Request-Headers origin  content-type Access-Control-Request-Method POST Connection keep-alive User-Agent Mozilla 5 0  Macintosh  Intel Mac OS X 10 8 2  AppleWebKit 537 4  KHTML  like Gecko  Chrome 22 0 1229 94 Safari 537 4   Response headers   Access-Control-Allow-Headers   Access-Control-Allow-Origin   Allow GET  POST  OPTIONS Content-Length 0 Date Tue  30 Oct 2012 20 04 28 GMT Server BaseHTTP 0 3 Python 2 7 3   Error   XMLHttpRequest cannot load domain  Request header field Content-Type is not allowed by Access-Control-Allow-Headers    And the python code serving the options request is   self send response 200  self send header  Allow    GET  POST  OPTIONS   self send header  Access-Control-Allow-Origin        self send header  Access-Control-Allow-Headers        self send header  Content-Length    0   self end headers     It seems the Access-Control-Allow-Origin wildcard is being ignored

User · Answer

here s the incantation for nginx  inside a   location           Simple requests     if   request method      GET POST            add header  Access-Control-Allow-Origin                   Preflighted requests     if   request method   OPTIONS           add header  Access-Control-Allow-Origin            add header  Access-Control-Allow-Methods   GET  POST  OPTIONS  HEAD         add header  Access-Control-Allow-Headers   Authorization  Origin  X-Requested-With  Content-Type  Accept

User · Answer

Support for wildcards in the Access-Control-Allow-Headers header was added to the living standard only in May 2016  so it may not be supported by all browsers  On browser which don t implement this yet  it must be an exact match  https   www w3 org TR 2014 REC-cors-20140116  access-control-allow-headers-response-header  If you expect a large number of headers  you can read in the value of the Access-Control-Request-Headers header and echo that value back in the Access-Control-Allow-Headers header

User · Answer

Those CORS headers do not support   as value  the only way is to replace   with this  Accept  Accept-CH  Accept-Charset  Accept-Datetime  Accept-Encoding  Accept-Ext  Accept-Features  Accept-Language  Accept-Params  Accept-Ranges  Access-Control-Allow-Credentials  Access-Control-Allow-Headers  Access-Control-Allow-Methods  Access-Control-Allow-Origin  Access-Control-Expose-Headers  Access-Control-Max-Age  Access-Control-Request-Headers  Access-Control-Request-Method  Age  Allow  Alternates  Authentication-Info  Authorization  C-Ext  C-Man  C-Opt  C-PEP  C-PEP-Info  CONNECT  Cache-Control  Compliance  Connection  Content-Base  Content-Disposition  Content-Encoding  Content-ID  Content-Language  Content-Length  Content-Location  Content-MD5  Content-Range  Content-Script-Type  Content-Security-Policy  Content-Style-Type  Content-Transfer-Encoding  Content-Type  Content-Version  Cookie  Cost  DAV  DELETE  DNT  DPR  Date  Default-Style  Delta-Base  Depth  Derived-From  Destination  Differential-ID  Digest  ETag  Expect  Expires  Ext  From  GET  GetProfile  HEAD  HTTP-date  Host  IM  If  If-Match  If-Modified-Since  If-None-Match  If-Range  If-Unmodified-Since  Keep-Alive  Label  Last-Event-ID  Last-Modified  Link  Location  Lock-Token  MIME-Version  Man  Max-Forwards  Media-Range  Message-ID  Meter  Negotiate  Non-Compliance  OPTION  OPTIONS  OWS  Opt  Optional  Ordering-Type  Origin  Overwrite  P3P  PEP  PICS-Label  POST  PUT  Pep-Info  Permanent  Position  Pragma  ProfileObject  Protocol  Protocol-Query  Protocol-Request  Proxy-Authenticate  Proxy-Authentication-Info  Proxy-Authorization  Proxy-Features  Proxy-Instruction  Public  RWS  Range  Referer  Refresh  Resolution-Hint  Resolver-Location  Retry-After  Safe  Sec-Websocket-Extensions  Sec-Websocket-Key  Sec-Websocket-Origin  Sec-Websocket-Protocol  Sec-Websocket-Version  Security-Scheme  Server  Set-Cookie  Set-Cookie2  SetProfile  SoapAction  Status  Status-URI  Strict-Transport-Security  SubOK  Subst  Surrogate-Capability  Surrogate-Control  TCN  TE  TRACE  Timeout  Title  Trailer  Transfer-Encoding  UA-Color  UA-Media  UA-Pixels  UA-Resolution  UA-Windowpixels  URI  Upgrade  User-Agent  Variant-Vary  Vary  Version  Via  Viewport-Width  WWW-Authenticate  Want-Digest  Warning  Width  X-Content-Duration  X-Content-Security-Policy  X-Content-Type-Options  X-CustomHeader  X-DNSPrefetch-Control  X-Forwarded-For  X-Forwarded-Port  X-Forwarded-Proto  X-Frame-Options  X-Modified  X-OTHER  X-PING  X-PINGOTHER  X-Powered-By  X-Requested-With   htaccess Example  CORS Included    lt IfModule mod headers c gt    Header unset Connection   Header unset Time-Zone   Header unset Keep-Alive   Header unset Access-Control-Allow-Origin   Header unset Access-Control-Allow-Headers   Header unset Access-Control-Expose-Headers   Header unset Access-Control-Allow-Methods   Header unset Access-Control-Allow-Credentials    Header set   Connection                         keep-alive   Header set   Time-Zone                           quot Asia Jerusalem quot    Header set   Keep-Alive                         timeout 100 max 500   Header set   Access-Control-Allow-Origin         quot   quot    Header set   Access-Control-Allow-Headers        quot Accept  Accept-CH  Accept-Charset  Accept-Datetime  Accept-Encoding  Accept-Ext  Accept-Features  Accept-Language  Accept-Params  Accept-Ranges  Access-Control-Allow-Credentials  Access-Control-Allow-Headers  Access-Control-Allow-Methods  Access-Control-Allow-Origin  Access-Control-Expose-Headers  Access-Control-Max-Age  Access-Control-Request-Headers  Access-Control-Request-Method  Age  Allow  Alternates  Authentication-Info  Authorization  C-Ext  C-Man  C-Opt  C-PEP  C-PEP-Info  CONNECT  Cache-Control  Compliance  Connection  Content-Base  Content-Disposition  Content-Encoding  Content-ID  Content-Language  Content-Length  Content-Location  Content-MD5  Content-Range  Content-Script-Type  Content-Security-Policy  Content-Style-Type  Content-Transfer-Encoding  Content-Type  Content-Version  Cookie  Cost  DAV  DELETE  DNT  DPR  Date  Default-Style  Delta-Base  Depth  Derived-From  Destination  Differential-ID  Digest  ETag  Expect  Expires  Ext  From  GET  GetProfile  HEAD  HTTP-date  Host  IM  If  If-Match  If-Modified-Since  If-None-Match  If-Range  If-Unmodified-Since  Keep-Alive  Label  Last-Event-ID  Last-Modified  Link  Location  Lock-Token  MIME-Version  Man  Max-Forwards  Media-Range  Message-ID  Meter  Negotiate  Non-Compliance  OPTION  OPTIONS  OWS  Opt  Optional  Ordering-Type  Origin  Overwrite  P3P  PEP  PICS-Label  POST  PUT  Pep-Info  Permanent  Position  Pragma  ProfileObject  Protocol  Protocol-Query  Protocol-Request  Proxy-Authenticate  Proxy-Authentication-Info  Proxy-Authorization  Proxy-Features  Proxy-Instruction  Public  RWS  Range  Referer  Refresh  Resolution-Hint  Resolver-Location  Retry-After  Safe  Sec-Websocket-Extensions  Sec-Websocket-Key  Sec-Websocket-Origin  Sec-Websocket-Protocol  Sec-Websocket-Version  Security-Scheme  Server  Set-Cookie  Set-Cookie2  SetProfile  SoapAction  Status  Status-URI  Strict-Transport-Security  SubOK  Subst  Surrogate-Capability  Surrogate-Control  TCN  TE  TRACE  Timeout  Title  Trailer  Transfer-Encoding  UA-Color  UA-Media  UA-Pixels  UA-Resolution  UA-Windowpixels  URI  Upgrade  User-Agent  Variant-Vary  Vary  Version  Via  Viewport-Width  WWW-Authenticate  Want-Digest  Warning  Width  X-Content-Duration  X-Content-Security-Policy  X-Content-Type-Options  X-CustomHeader  X-DNSPrefetch-Control  X-Forwarded-For  X-Forwarded-Port  X-Forwarded-Proto  X-Frame-Options  X-Modified  X-OTHER  X-PING  X-PINGOTHER  X-Powered-By  X-Requested-With quot    Header set   Access-Control-Expose-Headers       quot Accept  Accept-CH  Accept-Charset  Accept-Datetime  Accept-Encoding  Accept-Ext  Accept-Features  Accept-Language  Accept-Params  Accept-Ranges  Access-Control-Allow-Credentials  Access-Control-Allow-Headers  Access-Control-Allow-Methods  Access-Control-Allow-Origin  Access-Control-Expose-Headers  Access-Control-Max-Age  Access-Control-Request-Headers  Access-Control-Request-Method  Age  Allow  Alternates  Authentication-Info  Authorization  C-Ext  C-Man  C-Opt  C-PEP  C-PEP-Info  CONNECT  Cache-Control  Compliance  Connection  Content-Base  Content-Disposition  Content-Encoding  Content-ID  Content-Language  Content-Length  Content-Location  Content-MD5  Content-Range  Content-Script-Type  Content-Security-Policy  Content-Style-Type  Content-Transfer-Encoding  Content-Type  Content-Version  Cookie  Cost  DAV  DELETE  DNT  DPR  Date  Default-Style  Delta-Base  Depth  Derived-From  Destination  Differential-ID  Digest  ETag  Expect  Expires  Ext  From  GET  GetProfile  HEAD  HTTP-date  Host  IM  If  If-Match  If-Modified-Since  If-None-Match  If-Range  If-Unmodified-Since  Keep-Alive  Label  Last-Event-ID  Last-Modified  Link  Location  Lock-Token  MIME-Version  Man  Max-Forwards  Media-Range  Message-ID  Meter  Negotiate  Non-Compliance  OPTION  OPTIONS  OWS  Opt  Optional  Ordering-Type  Origin  Overwrite  P3P  PEP  PICS-Label  POST  PUT  Pep-Info  Permanent  Position  Pragma  ProfileObject  Protocol  Protocol-Query  Protocol-Request  Proxy-Authenticate  Proxy-Authentication-Info  Proxy-Authorization  Proxy-Features  Proxy-Instruction  Public  RWS  Range  Referer  Refresh  Resolution-Hint  Resolver-Location  Retry-After  Safe  Sec-Websocket-Extensions  Sec-Websocket-Key  Sec-Websocket-Origin  Sec-Websocket-Protocol  Sec-Websocket-Version  Security-Scheme  Server  Set-Cookie  Set-Cookie2  SetProfile  SoapAction  Status  Status-URI  Strict-Transport-Security  SubOK  Subst  Surrogate-Capability  Surrogate-Control  TCN  TE  TRACE  Timeout  Title  Trailer  Transfer-Encoding  UA-Color  UA-Media  UA-Pixels  UA-Resolution  UA-Windowpixels  URI  Upgrade  User-Agent  Variant-Vary  Vary  Version  Via  Viewport-Width  WWW-Authenticate  Want-Digest  Warning  Width  X-Content-Duration  X-Content-Security-Policy  X-Content-Type-Options  X-CustomHeader  X-DNSPrefetch-Control  X-Forwarded-For  X-Forwarded-Port  X-Forwarded-Proto  X-Frame-Options  X-Modified  X-OTHER  X-PING  X-PINGOTHER  X-Powered-By  X-Requested-With quot    Header set   Access-Control-Allow-Methods        quot CONNECT  DEBUG  DELETE  DONE  GET  HEAD  HTTP  HTTP 0 9  HTTP 1 0  HTTP 1 1  HTTP 2  OPTIONS  ORIGIN  ORIGINS  PATCH  POST  PUT  QUIC  REST  SESSION  SHOULD  SPDY  TRACE  TRACK quot    Header set   Access-Control-Allow-Credentials    quot true quot     Header set DNT  quot 0 quot    Header set Accept-Ranges  quot bytes quot    Header set Vary  quot Accept-Encoding quot    Header set X-UA-Compatible  quot IE edge chrome 1 quot    Header set X-Frame-Options  quot SAMEORIGIN quot    Header set X-Content-Type-Options  quot nosniff quot    Header set X-Xss-Protection  quot 1  mode block quot   lt  IfModule gt    F A Q   Why Access-Control-Allow-Headers  Access-Control-Expose-Headers  Access-Control-Allow-Methods values are super long  Those do not support the   syntax  so I ve collected the most common  and exotic  headers from around the web  in various formats  1  2  3  and I will update the list from time to time   Why do you use Header unset        syntax  GoDaddy servers  which my website is hosted on    have a weird bug where if the headers are already set  the previous value will join the existing one    instead of replacing it  this way I  quot pre-clean quot  existing values  really just a a quick  amp  amp  dirty solution   Is it safe for me to use  as-is   Well   mostly the answer would be YES since the  htaccess is limiting the headers to the scripts  PHP  HTML       and resources   JPG   JS   CSS  served from the following  quot folder quot -location  You optionally might want to remove the Access-Control-Allow-Methods lines  Also Connection  Time-Zone  Keep-Alive and DNT  Accept-Ranges  Vary  X-UA-Compatible  X-Frame-Options  X-Content-Type-Options and X-Xss-Protection are just a suggestion I m using for my online-service   feel free to remove those too      taken from my comment above

User · Answer

Quoted from monsur      The Access-Control-Allow-Headers header does not allow wildcards  It   must be an exact match    http   www w3 org TR cors  access-control-allow-headers-response-header    So here is my php solution   if    SERVER  REQUEST METHOD       OPTIONS        headers getallheaders        ACRH  headers  Access-Control-Request-Headers      header  Access-Control-Allow-Headers   ACRH

User · Answer

I found that Access-Control-Allow-Headers    should be set ONLY for OPTIONS request  If you return it for POST request then browser cancel the request  at least for chrome   The following PHP code works for me      Allow CORS if  isset   SERVER  HTTP ORIGIN           header  Access-Control-Allow-Origin     SERVER  HTTP ORIGIN           header  Access-Control-Allow-Credentials  true            header  Access-Control-Allow-Methods  GET  POST  OPTIONS             Access-Control headers are received during OPTIONS requests if    SERVER  REQUEST METHOD       OPTIONS         header  Access-Control-Allow-Headers           I found similar questions with some misleading response    Server thread says that this is 2 years bug of chrome  Access-Control-Allow-Headers does not match with localhost  It s wrong  I can use CORS to my local server with Post normally Access-Control-Allow-Headers does accept wildcards  It s also wrong  wildcard works for me  I tested only with Chrome    This take me half day to figure out the issue   Happy coding

[http] CORS Access-Control-Allow-Headers wildcard being ignored?

Examples related to http

Examples related to browser

Examples related to cors