Edge cannot recognize multiple Access-Control-Allow-Headers headers

Confirmed Issue #12046299 • Assigned to Scott W.


May 17, 2017
This issue is public.
Found in
  • Microsoft Edge
Reported by 6 people

Sign in to watch or report this issue.

Steps to reproduce

In Cross-Origin XHR preflight access, API Server send mutiple Access-Control-Allow-Headers, but Edge use only first Access-Control-Allow-Headers header.
Other browser merge these headers.


0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Steven K.”

    • Hi,

      Do you by chance have a repro I can use to verify?

      Thank you,


    • How to reproduce.
      just open this: http://jsdo.it/wilfrem/QgnX

      It’s simple code to CORS access to API Server.
      Mock API Server return two Access-Control-Allow-Headers header.
      Chrome(58.0.3029.110 (64-bit)) can access it, but MSEdge(40.15063.0.0) cannot and display SEC7123: Request header X-AUTH-TOKEN was not present in the Access-Control-Allow-Headers list. at console.

    • Microsoft Edge Team

      Changed Assigned To to “Sermet I.”

      Changed Assigned To to “Venkat K.”

      Changed Assigned To from “Venkat K.” to “Scott W.”

      Changed Status to “Confirmed”

    • A workaround for this is to combine the Access-Control-Allow-Headers into a single header response.

    • This is utterly stupid. Every other browser has not had a single problem with any of my API calls. Only MS can be this much of a pain. I had to have all Access-Control-Allow-Headers in a single header response AND same matching case (no extra spaces, mismatch capital letters, etc).

    You need to sign in to your Microsoft account to add a comment.

    Sign in