Case-sensitive comparison of CORS-preflight allowed header resolves in Access Denied

Issue #10584749 • Assigned to Venkat K.

Details

Author
Ilya F.
Created
Jan 19, 2017
Privacy
This issue is public.
Reports
Reported by 2 people

Sign in to watch or report this issue.

Steps to reproduce

When making a CORS request the browser does a preflight check of the headers. According to spec CORS-preflight fetch, 3 the list of headers there should be lower-cased (“byte-lowercased”) which is correct in Edge (notice content-type):

Access-Control-Request-Headers: content-type

Then server responds with:

Access-Control-Allow-Headers: Content-Type

and Edge throws the Access denied error with the following message:

Request header content-type was not presented in the Access-Control-Allow-Header list

So, it looks like Edge performs a case-sensitive comparison of the requested and allowed headers.

Expected: a case-insensitive comparison of the requested and allowed headers.

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Brad E.”

    • Hi Ilya, thank you for filing this bug! We just wanted to get some more detail about how you were running into this issue. Can you please tell us what version of Edge you’re using? Would you also happen to have a snippet of code that you used when you ran into this issue? Thanks!

    • Hi,
      I’m facing the same issue. I’m using Google Drive API and when I try to download files, getting the same errors as Ilya. The header that I’m getting this error for is 'Authorization’.

      Request header authorization was not presented in the Access-Control-Allow-Header list
      

      Here is the code for which I’m facing issue -

      $.ajax({
          url: "https://docs.google.com/feeds/download/documents/export/Export?id=14rNidB_N9M0NLGest7od2fRTjcQJvhOUV7sLEm5vrxk&exportFormat=pdf",
          dataType: 'binary',
          type: 'GET',
          processData: false,
          beforeSend: function (xhr) { xhr.setRequestHeader('Authorization', 'Bearer ' + oauthToken); },
          success: function (result) {
              // success
          },
          error: function (err) {
              // error
          }
      });
      
    • Just noticed that the same issue is with IE too.

    • Confirming this as well. Issue affects both versions 13 and 14. CORS-preflight request contains headers in a lowercase format which is correct. However, in cases when server replies with a header Access-Control-Allow-Headers which doesn’t have lowercased header names listed the following error is thrown:

      Request _headername_ authorization was not presented in the Access-Control-Allow-Header list

      Regards,
      Alex

    • Microsoft Edge Team

      Changed Assigned To from “Brad E.” to “James M.”

      Changed Assigned To to “Venkat K.”

    You need to sign in to your Microsoft account to add a comment.

    Sign in