A CORS non-wildcard request header is an HTTP request header which is not covered by the wildcard symbol ("*") in the access-control-allow-headers header. "authorization" is the only member of CORS non-wildcard request-header. Currently we treat the header as a usual header, which is problematic for security reasons. Implement it, and change the current behavior. 1: https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name
To improve security. With the current behavior, a malicious web site can use stolen/guessed authentication data easily.
Status in Chromium
No active development (tracking bug)
Consensus & Standardization
- No signal
- No signals
Last updated on 2021-07-19