You can safelist more headers using the
Access-Control-Allow-Headers header and also list the above headers there to circumvent the following additional restrictions.
CORS-safelisted headers must also fulfill the following requirements in order to be a CORS-safelisted request header:
Content-Languagecan only have values consisting of
a-z, space or
Content-Typecan't contain a CORS-unsafe request header byte:
0x09 (HT), which is allowed),
Content-Typeneeds to have a MIME type of its parsed value (ignoring parameters) of either
Rangeneeds to have a value of a single byte range in the form of
bytes=[0-9]+-[0-9]*. See the
Rangeheader documentation for more details.
- For any header: the value's length can't be greater than 128.