FF115 Access-Control-Allow-Headers - wildcard not include Authorization header #20092
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The spec states that if
Access-Control-Allow-Headers
specifies a wildcard, that does not automatically include theAuthorization
header. Browsers were wildcarding theAuthorization
header but are not preparing to deprecate that behaviour.FF115 does so behind a preference in https://bugzilla.mozilla.org/show_bug.cgi?id=1687364. Chrome was planning to to this in M116 but is waiting on others to catch up: see https://chromestatus.com/feature/5742041264816128 and https://groups.google.com/a/chromium.org/g/blink-dev/c/yXxYCo3ytQU/m/Z6woo8enAgAJ
This adds the FF information.
Note, I have not been able to test this because the relevant WPT live test appears to fail this for other reasons: https://wpt.live/fetch/api/cors/cors-preflight-star.any.html
Related docs work can be tracked in mdn/content#27230
FYI @queengooborg