Edge cannot recognize multiple Access-Control-Allow-Headers headers

Confirmed Issue #12046299 • Assigned to Scott W.

Details

Created
May 17, 2017
Privacy
This issue is public.
Found in
  • Microsoft Edge
Reports
Reported by 2 people

Sign in to watch or report this issue.

Steps to reproduce

In Cross-Origin XHR preflight access, API Server send mutiple Access-Control-Allow-Headers, but Edge use only first Access-Control-Allow-Headers header.
Other browser merge these headers.

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Steven K.”

    • Hi,

      Do you by chance have a repro I can use to verify?

      Thank you,

      Steve

    • How to reproduce.
      just open this: http://jsdo.it/wilfrem/QgnX

      It’s simple code to CORS access to API Server.
      Mock API Server return two Access-Control-Allow-Headers header.
      Chrome(58.0.3029.110 (64-bit)) can access it, but MSEdge(40.15063.0.0) cannot and display SEC7123: Request header X-AUTH-TOKEN was not present in the Access-Control-Allow-Headers list. at console.

    • Microsoft Edge Team

      Changed Assigned To to “Sermet I.”

      Changed Assigned To to “Venkat K.”

      Changed Assigned To from “Venkat K.” to “Scott W.”

      Changed Status to “Confirmed”

    • A workaround for this is to combine the Access-Control-Allow-Headers into a single header response.

    You need to sign in to your Microsoft account to add a comment.

    Sign in