← Back to release summary

CORS: Strict ABNF based Checks on Access-Control-Allow-Headers and Access-Control-Allow-Methods headers

Category

Security

Type

New or changed feature

Status

Enabled by default (Chrome 85)

Intent stage

Prepare to ship

Summary

Chrome CORS checked Access-Control-Allow-Headers and Access-Control-Allow-Methods headers in a relaxed manner and didn't follow the ABNF that spec defined. After Chrome 85, CORS checks follow the standardized ABNF.

Standards & signals

• Specification: https://fetch.spec.whatwg.org/
• Firefox: Shipped/Shipping
• Safari: Shipped/Shipping
• Web developers: No signals
• Tracking bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1060504

Docs: https://bugs.chromium.org/p/chromium/issues/detail?id=1060504

Explainers: https://fetch.spec.whatwg.org/#http-new-header-syntax

View on chromestatus.com