CORS-safelisted Request Header

CORS (Cross-Origin Resource Sharing) is a web standard that allows web pages to make requests to a different domain than the one that served the original web page. This standard is important because it enables web applications to communicate with APIs on different domains and helps to enhance the functionality of web applications.

However, to ensure security, browsers restrict cross-origin requests by default. That means that a web page from one domain cannot make a request to a different domain without the explicit permission of the latter. The CORS mechanism allows servers to specify which origins are allowed to make requests to their resources.

One of the fundamental concepts of CORS is the distinction between simple and non-simple requests. Simple requests are those that meet certain criteria, such as using the HTTP GET, POST or HEAD methods, and using only certain types of content as their body. Simple requests don’t require a preflight request, which is an additional request that checks whether the server allows the requested method, headers, and origin.

Non-simple requests, on the other hand, are those that don’t meet the criteria for simple requests. These requests require a preflight request, which is an OPTIONS request that checks whether the server allows the requested method, headers, and origin.

One of the ways that servers can specify which headers are allowed in cross-origin requests is by listing them in the Access-Control-Allow-Headers response header. This header specifies the headers that the server allows in cross-origin requests. However, not all headers are allowed in cross-origin requests. Only headers that are considered safelisted are allowed.

A safelisted request header is a header that is considered safe to include in a cross-origin request without requiring a preflight request. A header is safelisted if it meets one of the following conditions:

• The header is one of the following simple headers:
  • Accept
  • Accept-Language
  • Content-Language
  • Content-Type (with a MIME type of application/x-www-form-urlencoded, multipart/form-data, or text/plain)
• The header is a custom header that has been explicitly allowed by the server using the Access-Control-Allow-Headers response header.

Headers that don’t meet these conditions are not safelisted and require a preflight request to be included in a cross-origin request.

For example, if a web page from https://example.com wants to make a request to https://api.example.org, it can only include safelisted headers in the request. If the web page includes a non-safelisted header, such as Authorization, the browser will send a preflight request to the server to check whether the header is allowed. The preflight request includes the OPTIONS method and the Access-Control-Request-Headers header, which contains the list of headers that the web page wants to include in the actual request. The server can then respond with the Access-Control-Allow-Headers header, which specifies whether the requested headers are allowed.

In summary, a CORS-safelisted request header is a request header that is considered safe to include in a cross-origin request without requiring a preflight request. Safelisted headers include simple headers and custom headers that have been explicitly allowed by the server. By restricting the headers that are allowed in cross-origin requests, CORS helps to prevent malicious websites from accessing sensitive data and resources on other domains.