Edge cannot recognize multiple Access-Control-Allow-Headers headers

Confirmed Issue #12046299 • Assigned to Scott W.


May 17, 2017
This issue is public.
Found in
  • Microsoft Edge
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

In Cross-Origin XHR preflight access, API Server send mutiple Access-Control-Allow-Headers, but Edge use only first Access-Control-Allow-Headers header.
Other browser merge these headers.


0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Steven K.”

    • Hi,

      Do you by chance have a repro I can use to verify?

      Thank you,


    • How to reproduce.
      just open this: http://jsdo.it/wilfrem/QgnX

      It’s simple code to CORS access to API Server.
      Mock API Server return two Access-Control-Allow-Headers header.
      Chrome(58.0.3029.110 (64-bit)) can access it, but MSEdge(40.15063.0.0) cannot and display SEC7123: Request header X-AUTH-TOKEN was not present in the Access-Control-Allow-Headers list. at console.

    • Microsoft Edge Team

      Changed Assigned To to “Sermet I.”

      Changed Assigned To to “Venkat K.”

      Changed Assigned To from “Venkat K.” to “Scott W.”

      Changed Status to “Confirmed”

    You need to sign in to your Microsoft account to add a comment.

    Sign in