Edit

Share via


CORSNonWildcardRequestHeadersSupport

CORS non-wildcard request header support enabled

Supported versions

  • On Windows and macOS since 97 or later

Description

This policy lets you configure support of CORS non-wildcard request headers.

Microsoft Edge version 97 introduces support for CORS non-wildcard request headers. When a script makes a cross-origin network request via fetch() and XMLHttpRequest with a script-added Authorization header, the header must be explicitly allowed by the Access-Control-Allow-Headers header in the CORS preflight response. "Explicitly" here means that the wild card symbol "*" doesn't cover the Authorization header. See https://go.microsoft.com/fwlink/?linkid=2180022 for more detail.

If you enable or don't configure the policy, Microsoft Edge will support the CORS non-wildcard request headers and behave as previously described.

If you disable this policy, Microsoft Edge will allow the wildcard symbol ("*") in the Access-Control-Allow-Headers header in the CORS preflight response to cover the Authorization header.

This policy is a temporary workaround for the new CORS non-wildcard request header feature. It's intended to be removed in the future.

Supported features

  • Can be mandatory: Yes
  • Can be recommended: No
  • Dynamic Policy Refresh: Yes
  • Per Profile: Yes
  • Applies to a profile that is signed in with a Microsoft account: Yes

Data type

  • Boolean

Windows information and settings

Group Policy (ADMX) info

  • GP unique name: CORSNonWildcardRequestHeadersSupport
  • GP name: CORS non-wildcard request header support enabled
  • GP path (Mandatory): Administrative Templates/Microsoft Edge
  • GP path (Recommended): N/A
  • GP ADMX file name: MSEdge.admx

Example value

Enabled

Registry settings

  • Path (Mandatory): SOFTWARE\Policies\Microsoft\Edge
  • Path (Recommended): N/A
  • Value name: CORSNonWildcardRequestHeadersSupport
  • Value type: REG_DWORD

Example registry value

0x00000001

Mac information and settings

  • Preference Key name: CORSNonWildcardRequestHeadersSupport
  • Example value:
<true/>

See also