[whatwg/fetch] Disallowing `Authorization` in CORS-preflight wildcards is currently not web compatible (Issue #1919) from Luke Wilde on 2026-04-07 (public-webapps-github@w3.org from April 2026)

From: Luke Wilde <notifications@github.com>
Date: Tue, 07 Apr 2026 06:24:53 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1919@github.com>

Lubrsi created an issue (whatwg/fetch#1919)

### What is the issue with the Fetch Standard?

When loading `https://rodericksdentalpartners.portal.dental/`, it makes a CORS-preflight fetch to `
https://p-euw1-d1-rest.portal.dental/api/pusher/auth` with one of the request headers being `Authorization` and the server responds with `access-control-allow-headers: *`.

The current spec disallows this, but Firefox, Chrome and Safari allow it. Firefox is the only one to provide a compatibility warning that it will soon disallow it, but doesn't seem to have seen activity related to this for a couple of years: https://bugzilla.mozilla.org/show_bug.cgi?id=1687364

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1919
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1919@github.com>

Received on Tuesday, 7 April 2026 13:24:57 UTC