Access-Control-Request-Headers is a request-type header used by browsers that contains information about the different HTTP headers that will be sent by the client in the ensuing request. Whenever a client initiates a request to a server, the browser checks if the request needs a CORS preflight or not. In case a CORS preflight request is required, the browser uses the HTTP Options method to send a request with a bunch of headers attached with it containing information about certain characteristics of the ensuing request. One of these characteristics is the different headers that the request might contain. This information is stored in the Access-Control-Request-Headers header of the preflight request.
Access-Control-Request-Headers: header-name-1, header-name-2, ...
Directives: The Access-Control-Request-Headers header accepts a single directive as mentioned above and described below:
- header-name: A comma-separated list of header names that will be attached to the ensuing request.
Below example illustrate the Access-Control-Request-Headers in http headers.
Example: Consider the following code to send a XHR request from the browser.
const xhr = new XMLHttpRequest(); xhr.open('POST', 'https://samplepostroute/'); xhr.setRequestHeader('X-PINGOTHER', 'pingpong'); xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); xhr.onreadystatechange = handler; xhr.send("id=100");
The request will contain Content-Type and X-PINGOTHER HTTP headers. Before sending the POST request, the browser will send a CORS preflight request. The CORS preflight request will contain the following header. In this manner, the server is informed about the different headers which might be present in the ensuing client request.
Access-Control-Request-Headers: X-PINGOTHER, Content-Type
Supported Browsers: The following browsers are compatible with the Access-Control-Request-Headers header functionality:
- Google Chrome 4.0
- Firefox Browser 3.5
- Internet Explorer 10.0
- Opera 12.0
- Safari 4.0