CINXE.COM
Cross-Origin Resource Sharing (CORS) - HTTP | MDN
<!doctype html> <html lang="en-US" prefix="og: https://ogp.me/ns#"> <head> <base href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS"> <meta charset="utf-8"> <meta name="viewport" content="width=device-width,initial-scale=1"> <link rel="icon" href="https://developer.mozilla.org/favicon-48x48.bc390275e955dacb2e65.png"> <link rel="apple-touch-icon" href="https://developer.mozilla.org/apple-touch-icon.528534bba673c38049c2.png"> <meta name="theme-color" content="#ffffff"> <link rel="manifest" href="https://developer.mozilla.org/manifest.f42880861b394dd4dc9b.json"> <link rel="search" type="application/opensearchdescription+xml" href="/opensearch.xml" title="MDN Web Docs"> <title>Cross-Origin Resource Sharing (CORS) - HTTP | MDN</title> <link rel="alternate" title="Cross-Origin Resource Sharing (CORS)" href="https://developer.mozilla.org/de/docs/Web/HTTP/CORS" hreflang="de"> <link rel="alternate" title="Intercambio de recursos de origen cruzado (CORS)" href="https://developer.mozilla.org/es/docs/Web/HTTP/CORS" hreflang="es"> <link rel="alternate" title="Cross-origin resource sharing (CORS)" href="https://developer.mozilla.org/fr/docs/Web/HTTP/CORS" hreflang="fr"> <link rel="alternate" title="オリジン間リソース共有 (CORS)" href="https://developer.mozilla.org/ja/docs/Web/HTTP/CORS" hreflang="ja"> <link rel="alternate" title="교차 출처 리소스 공유 (CORS)" href="https://developer.mozilla.org/ko/docs/Web/HTTP/CORS" hreflang="ko"> <link rel="alternate" title="Cross-Origin Resource Sharing (CORS)" href="https://developer.mozilla.org/pt-BR/docs/Web/HTTP/CORS" hreflang="pt"> <link rel="alternate" title="Cross-Origin Resource Sharing (CORS)" href="https://developer.mozilla.org/ru/docs/Web/HTTP/CORS" hreflang="ru"> <link rel="alternate" title="跨源资源共享(CORS)" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/CORS" hreflang="zh"> <link rel="alternate" title="跨來源資源共享(CORS)" href="https://developer.mozilla.org/zh-TW/docs/Web/HTTP/CORS" hreflang="zh-Hant"> <link rel="alternate" title="Cross-Origin Resource Sharing (CORS)" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS" hreflang="en"> <link rel="preload" as="font" type="font/woff2" href="/static/media/Inter.var.c2fe3cb2b7c746f7966a.woff2" crossorigin=""> <link rel="alternate" type="application/rss+xml" title="MDN Blog RSS Feed" href="https://developer.mozilla.org/en-US/blog/rss.xml" hreflang="en"> <meta name="description" content="Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. CORS also relies on a mechanism by which browsers make a "preflight" request to the server hosting the cross-origin resource, in order to check that the server will permit the actual request. In that preflight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request."> <meta property="og:url" content="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS"> <meta property="og:title" content="Cross-Origin Resource Sharing (CORS) - HTTP | MDN"> <meta property="og:type" content="website"> <meta property="og:locale" content="en_US"> <meta property="og:description" content="Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. CORS also relies on a mechanism by which browsers make a "preflight" request to the server hosting the cross-origin resource, in order to check that the server will permit the actual request. In that preflight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request."> <meta property="og:image" content="https://developer.mozilla.org/mdn-social-share.d893525a4fb5fb1f67a2.png"> <meta property="og:image:type" content="image/png"> <meta property="og:image:height" content="1080"> <meta property="og:image:width" content="1920"> <meta property="og:image:alt" content="The MDN Web Docs logo, featuring a blue accent color, displayed on a solid black background."> <meta property="og:site_name" content="MDN Web Docs"> <meta name="twitter:card" content="summary_large_image"> <meta name="twitter:creator" content="MozDevNet"> <link rel="canonical" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS"> <style media="print">.article-actions-container,.document-toc-container,.language-menu,.main-menu-toggle,.on-github,.page-footer,.place,.sidebar,.top-banner,.top-navigation-main,ul.prev-next{display:none!important}.main-page-content,.main-page-content pre{padding:2px}.main-page-content pre{border-left-width:2px}</style> <script src="/static/js/gtag.js" defer></script> <script defer src="/static/js/main.06414919.js"></script> <link href="/static/css/main.4634a21c.css" rel="stylesheet"> <meta http-equiv="X-Translated-By" content="Google"> <meta http-equiv="X-Translated-To" content="tr"> <script type="text/javascript" src="https://www.gstatic.com/_/translate_http/_/js/k=translate_http.tr.en_GB.sLUaD8n-8CY.O/am=gAE/d=1/rs=AN8SPfpi3wsrGBfUnK-IHqzYxskd8oOqqw/m=corsproxy" data-sourceurl="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS"></script> <link href="https://fonts.googleapis.com/css2?family=Material+Symbols+Outlined:opsz,wght,FILL,GRAD@20..48,100..700,0..1,-50..200" rel="stylesheet"> <script type="text/javascript" src="https://www.gstatic.com/_/translate_http/_/js/k=translate_http.tr.en_GB.sLUaD8n-8CY.O/am=gAE/d=1/exm=corsproxy/ed=1/rs=AN8SPfpi3wsrGBfUnK-IHqzYxskd8oOqqw/m=phishing_protection" data-phishing-protection-enabled="false" data-forms-warning-enabled="true" data-source-url="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS"></script> <meta name="robots" content="none"> </head> <body> <script type="text/javascript" src="https://www.gstatic.com/_/translate_http/_/js/k=translate_http.tr.en_GB.sLUaD8n-8CY.O/am=gAE/d=1/exm=corsproxy,phishing_protection/ed=1/rs=AN8SPfpi3wsrGBfUnK-IHqzYxskd8oOqqw/m=navigationui" data-environment="prod" data-proxy-url="https://developer-mozilla-org.translate.goog" data-proxy-full-url="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" data-source-url="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS" data-source-language="pl" data-target-language="tr" data-display-language="en-GB" data-detected-source-language="" data-is-source-untranslated="false" data-source-untranslated-url="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS&anno=2" data-client="tr"></script> <script>if(document.body.addEventListener("load",(t=>{t.target.classList.contains("interactive")&&t.target.setAttribute("data-readystate","complete")}),{capture:!0}),window&&document.documentElement){const t={light:"#ffffff",dark:"#1b1b1b"};try{const e=window.localStorage.getItem("theme");e&&(document.documentElement.className=e,document.documentElement.style.backgroundColor=t[e]);const o=window.localStorage.getItem("nop");o&&(document.documentElement.dataset.nop=o)}catch(t){console.warn("Unable to read theme from localStorage",t)}}</script> <div id="root"> <ul id="nav-access" class="a11y-nav"> <li><a id="skip-main" href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#content">Skip to main content</a></li> <li><a id="skip-search" href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#top-nav-search-input">Skip to search</a></li> <li><a id="skip-select-language" href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#languages-switcher-button">Skip to select language</a></li> </ul> <div class="page-wrapper category-http document-page"> <div class="top-banner loading"> <section class="place top container"></section> </div> <div class="sticky-header-container"> <header class="top-navigation "> <div class="container "> <div class="top-navigation-wrap"> <a href="https://developer-mozilla-org.translate.goog/en-US/?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="logo" aria-label="MDN homepage"> <svg id="mdn-docs-logo" xmlns="http://www.w3.org/2000/svg" x="0" y="0" viewbox="0 0 694.9 104.4" style="enable-background:new 0 0 694.9 104.4" xml:space="preserve" role="img"> <title>MDN Web Docs</title><path d="M40.3 0 11.7 92.1H0L28.5 0h11.8zm10.4 0v92.1H40.3V0h10.4zM91 0 62.5 92.1H50.8L79.3 0H91zm10.4 0v92.1H91V0h10.4z" class="logo-m"></path><path d="M627.9 95.6h67v8.8h-67v-8.8z" class="logo-_"></path><path d="M367 42h-4l-10.7 30.8h-5.5l-10.8-26h-.4l-10.5 26h-5.2L308.7 42h-3.8v-5.6H323V42h-6.5l6.8 20.4h.4l10.3-26h4.7l11.2 26h.5l5.7-20.3h-6.2v-5.6H367V42zm34.9 20c-.4 3.2-2 5.9-4.7 8.2-2.8 2.3-6.5 3.4-11.3 3.4-5.4 0-9.7-1.6-13.1-4.7-3.3-3.2-5-7.7-5-13.7 0-5.7 1.6-10.3 4.7-14s7.4-5.5 12.9-5.5c5.1 0 9.1 1.6 11.9 4.7s4.3 6.9 4.3 11.3c0 1.5-.2 3-.5 4.7h-25.6c.3 7.7 4 11.6 10.9 11.6 2.9 0 5.1-.7 6.5-2 1.5-1.4 2.5-3 3-4.9l6 .9zM394 51.3c.2-2.4-.4-4.7-1.8-6.9s-3.8-3.3-7-3.3c-3.1 0-5.3 1-6.9 3-1.5 2-2.5 4.4-2.8 7.2H394zm51 2.4c0 5-1.3 9.5-4 13.7s-6.9 6.2-12.7 6.2c-6 0-10.3-2.2-12.7-6.7-.1.4-.2 1.4-.4 2.9s-.3 2.5-.4 2.9h-7.3c.3-1.7.6-3.5.8-5.3.3-1.8.4-3.7.4-5.5V22.3h-6v-5.6H416v27c1.1-2.2 2.7-4.1 4.7-5.7 2-1.6 4.8-2.4 8.4-2.4 4.6 0 8.4 1.6 11.4 4.7 3 3.2 4.5 7.6 4.5 13.4zm-7.7.6c0-4.2-1-7.4-3-9.5-2-2.2-4.4-3.3-7.4-3.3-3.4 0-6 1.2-8 3.7-1.9 2.4-2.9 5-3 7.7V57c0 3 1 5.6 3 7.7s4.5 3.1 7.6 3.1c3.6 0 6.3-1.3 8.1-3.9 1.8-2.7 2.7-5.9 2.7-9.6zm69.2 18.5h-13.2v-7.2c-1.2 2.2-2.8 4.1-4.9 5.6-2.1 1.6-4.8 2.4-8.3 2.4-4.8 0-8.7-1.6-11.6-4.9-2.9-3.2-4.3-7.7-4.3-13.3 0-5 1.3-9.6 4-13.7 2.6-4.1 6.9-6.2 12.8-6.2 5.7 0 9.8 2.2 12.3 6.5V22.3h-8.6v-5.6h15.8v50.6h6v5.5zM493.2 56v-4.4c-.1-3-1.2-5.5-3.2-7.3s-4.4-2.8-7.2-2.8c-3.6 0-6.3 1.3-8.2 3.9-1.9 2.6-2.8 5.8-2.8 9.6 0 4.1 1 7.3 3 9.5s4.5 3.3 7.4 3.3c3.2 0 5.8-1.3 7.8-3.8 2.1-2.6 3.1-5.3 3.2-8zm53.1-1.4c0 5.6-1.8 10.2-5.3 13.7s-8.2 5.3-13.9 5.3-10.1-1.7-13.4-5.1c-3.3-3.4-5-7.9-5-13.5 0-5.3 1.6-9.9 4.7-13.7 3.2-3.8 7.9-5.7 14.2-5.7s11 1.9 14.1 5.7c3 3.7 4.6 8.1 4.6 13.3zm-7.7-.2c0-4-1-7.2-3-9.5s-4.8-3.5-8.2-3.5c-3.6 0-6.4 1.2-8.3 3.7s-2.9 5.6-2.9 9.5c0 3.7.9 6.8 2.8 9.4 1.9 2.6 4.6 3.9 8.3 3.9 3.6 0 6.4-1.3 8.4-3.8 1.9-2.6 2.9-5.8 2.9-9.7zm45 5.8c-.4 3.2-1.9 6.3-4.4 9.1-2.5 2.9-6.4 4.3-11.8 4.3-5.2 0-9.4-1.6-12.6-4.8-3.2-3.2-4.8-7.7-4.8-13.7 0-5.5 1.6-10.1 4.7-13.9 3.2-3.8 7.6-5.7 13.2-5.7 2.3 0 4.6.3 6.7.8 2.2.5 4.2 1.5 6.2 2.9l1.5 9.5-5.9.7-1.3-6.1c-2.1-1.2-4.5-1.8-7.2-1.8-3.5 0-6.1 1.2-7.7 3.7-1.7 2.5-2.5 5.7-2.5 9.6 0 4.1.9 7.3 2.7 9.5 1.8 2.3 4.4 3.4 7.8 3.4 5.2 0 8.2-2.9 9.2-8.8l6.2 1.3zm34.7 1.9c0 3.6-1.5 6.5-4.6 8.5s-7 3-11.7 3c-5.7 0-10.6-1.2-14.6-3.6l1.2-8.8 5.7.6-.2 4.7c1.1.5 2.3.9 3.6 1.1s2.6.3 3.9.3c2.4 0 4.5-.4 6.5-1.3 1.9-.9 2.9-2.2 2.9-4.1 0-1.8-.8-3.1-2.3-3.8s-3.5-1.3-5.8-1.7-4.6-.9-6.9-1.4c-2.3-.6-4.2-1.6-5.7-2.9-1.6-1.4-2.3-3.5-2.3-6.3 0-4.1 1.5-6.9 4.6-8.5s6.4-2.4 9.9-2.4c2.6 0 5 .3 7.2.9 2.2.6 4.3 1.4 6.1 2.4l.8 8.8-5.8.7-.8-5.7c-2.3-1-4.7-1.6-7.2-1.6-2.1 0-3.7.4-5.1 1.1-1.3.8-2 2-2 3.8 0 1.7.8 2.9 2.3 3.6 1.5.7 3.4 1.2 5.7 1.6 2.2.4 4.5.8 6.7 1.4 2.2.6 4.1 1.6 5.7 3 1.4 1.6 2.2 3.7 2.2 6.6zM197.6 73.2h-17.1v-5.5h3.8V51.9c0-3.7-.7-6.3-2.1-7.9-1.4-1.6-3.3-2.3-5.7-2.3-3.2 0-5.6 1.1-7.2 3.4s-2.4 4.6-2.5 6.9v15.6h6v5.5h-17.1v-5.5h3.8V51.9c0-3.8-.7-6.4-2.1-7.9-1.4-1.5-3.3-2.3-5.6-2.3-3.2 0-5.5 1.1-7.2 3.3-1.6 2.2-2.4 4.5-2.5 6.9v15.8h6.9v5.5h-20.2v-5.5h6V42.4h-6.1v-5.6h13.4v6.4c1.2-2.1 2.7-3.8 4.7-5.2 2-1.3 4.4-2 7.3-2s5.3.7 7.5 2.1c2.2 1.4 3.7 3.5 4.5 6.4 1.1-2.5 2.7-4.5 4.9-6.1s4.8-2.4 7.9-2.4c3.5 0 6.5 1.1 8.9 3.3s3.7 5.6 3.7 10.2v18.2h6.1v5.5zm42.5 0h-13.2V66c-1.2 2.2-2.8 4.1-4.9 5.6-2.1 1.6-4.8 2.4-8.3 2.4-4.8 0-8.7-1.6-11.6-4.9-2.9-3.2-4.3-7.7-4.3-13.3 0-5 1.3-9.6 4-13.7 2.6-4.1 6.9-6.2 12.8-6.2s9.8 2.2 12.3 6.5V22.7h-8.6v-5.6h15.8v50.6h6v5.5zm-13.3-16.8V52c-.1-3-1.2-5.5-3.2-7.3s-4.4-2.8-7.2-2.8c-3.6 0-6.3 1.3-8.2 3.9-1.9 2.6-2.8 5.8-2.8 9.6 0 4.1 1 7.3 3 9.5s4.5 3.3 7.4 3.3c3.2 0 5.8-1.3 7.8-3.8 2.1-2.6 3.1-5.3 3.2-8zm61.5 16.8H269v-5.5h6V51.9c0-3.7-.7-6.3-2.2-7.9-1.4-1.6-3.4-2.3-5.7-2.3-3.1 0-5.6 1-7.4 3s-2.8 4.4-2.9 7v15.9h6v5.5h-19.3v-5.5h6V42.4h-6.2v-5.6h13.6V43c2.6-4.6 6.8-6.9 12.7-6.9 3.6 0 6.7 1.1 9.2 3.3s3.7 5.6 3.7 10.2v18.2h6v5.4h-.2z" class="logo-text"></path> </svg></a><button title="Open main menu" type="button" class="button action has-icon main-menu-toggle" aria-haspopup="menu" aria-label="Open main menu" aria-expanded="false"><span class="button-wrap"><span class="icon icon-menu "></span><span class="visually-hidden">Open main menu</span></span></button> </div> <div class="top-navigation-main"> <nav class="main-nav" aria-label="Main menu"> <ul class="main-menu nojs"> <li class="top-level-entry-container active"><button type="button" id="references-button" class="top-level-entry menu-toggle" aria-controls="references-menu" aria-expanded="false">References</button><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="top-level-entry">References</a> <ul id="references-menu" class="submenu references hidden inline-submenu-lg" aria-labelledby="references-button"> <li class="apis-link-container mobile-only "><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="submenu-item "> <div class="submenu-icon"></div> <div class="submenu-content-container"> <div class="submenu-item-heading"> Overview / Web Technology </div> <p class="submenu-item-description">Web technology reference for developers</p> </div></a></li> <li class="html-link-container "><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTML?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="submenu-item "> <div class="submenu-icon html"></div> <div class="submenu-content-container"> <div class="submenu-item-heading"> HTML </div> <p class="submenu-item-description">Structure of content on the web</p> </div></a></li> <li class="css-link-container "><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/CSS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="submenu-item "> <div class="submenu-icon css"></div> <div class="submenu-content-container"> <div class="submenu-item-heading"> CSS </div> <p class="submenu-item-description">Code used to describe document style</p> </div></a></li> <li class="javascript-link-container "><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/JavaScript?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="submenu-item "> <div class="submenu-icon javascript"></div> <div class="submenu-content-container"> <div class="submenu-item-heading"> JavaScript </div> <p class="submenu-item-description">General-purpose scripting language</p> </div></a></li> <li class="http-link-container "><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="submenu-item "> <div class="submenu-icon http"></div> <div class="submenu-content-container"> <div class="submenu-item-heading"> HTTP </div> <p class="submenu-item-description">Protocol for transmitting web resources</p> </div></a></li> <li class="apis-link-container "><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/API?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="submenu-item "> <div class="submenu-icon apis"></div> <div class="submenu-content-container"> <div class="submenu-item-heading"> Web APIs </div> <p class="submenu-item-description">Interfaces for building web applications</p> </div></a></li> <li class="apis-link-container "><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Mozilla/Add-ons/WebExtensions?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="submenu-item "> <div class="submenu-icon"></div> <div class="submenu-content-container"> <div class="submenu-item-heading"> Web Extensions </div> <p class="submenu-item-description">Developing extensions for web browsers</p> </div></a></li> <li class=" "><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/Accessibility?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="submenu-item "> <div class="submenu-icon"></div> <div class="submenu-content-container"> <div class="submenu-item-heading"> Accessibility </div> <p class="submenu-item-description">Build web projects usable for all</p> </div></a></li> <li class="apis-link-container desktop-only "><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="submenu-item "> <div class="submenu-icon"></div> <div class="submenu-content-container"> <div class="submenu-item-heading"> Web Technology </div> <p class="submenu-item-description">Web technology reference for developers</p> </div></a></li> </ul></li> <li class="top-level-entry-container "><button type="button" id="learn-button" class="top-level-entry menu-toggle" aria-controls="learn-menu" aria-expanded="false">Learn</button><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Learn_web_development?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="top-level-entry">Learn</a> <ul id="learn-menu" class="submenu learn hidden inline-submenu-lg" aria-labelledby="learn-button"> <li class="apis-link-container mobile-only "><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Learn_web_development?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="submenu-item "> <div class="submenu-icon learn"></div> <div class="submenu-content-container"> <div class="submenu-item-heading"> Overview / MDN Learning Area </div> <p class="submenu-item-description">Learn web development</p> </div></a></li> <li class="apis-link-container desktop-only "><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Learn_web_development?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="submenu-item "> <div class="submenu-icon learn"></div> <div class="submenu-content-container"> <div class="submenu-item-heading"> MDN Learning Area </div> <p class="submenu-item-description">Learn web development</p> </div></a></li> <li class="html-link-container "><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Learn_web_development/Core/Structuring_content?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="submenu-item "> <div class="submenu-icon html"></div> <div class="submenu-content-container"> <div class="submenu-item-heading"> HTML </div> <p class="submenu-item-description">Learn to structure web content with HTML</p> </div></a></li> <li class="css-link-container "><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Learn_web_development/Core/Styling_basics?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="submenu-item "> <div class="submenu-icon css"></div> <div class="submenu-content-container"> <div class="submenu-item-heading"> CSS </div> <p class="submenu-item-description">Learn to style content using CSS</p> </div></a></li> <li class="javascript-link-container "><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Learn_web_development/Core/Scripting?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="submenu-item "> <div class="submenu-icon javascript"></div> <div class="submenu-content-container"> <div class="submenu-item-heading"> JavaScript </div> <p class="submenu-item-description">Learn to run scripts in the browser</p> </div></a></li> <li class=" "><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Learn_web_development/Core/Accessibility?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="submenu-item "> <div class="submenu-icon"></div> <div class="submenu-content-container"> <div class="submenu-item-heading"> Accessibility </div> <p class="submenu-item-description">Learn to make the web accessible to all</p> </div></a></li> </ul></li> <li class="top-level-entry-container "><button type="button" id="mdn-plus-button" class="top-level-entry menu-toggle" aria-controls="mdn-plus-menu" aria-expanded="false">Plus</button><a href="https://developer-mozilla-org.translate.goog/en-US/plus?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="top-level-entry">Plus</a> <ul id="mdn-plus-menu" class="submenu mdn-plus hidden inline-submenu-lg" aria-labelledby="mdn-plus-button"> <li class=" "><a href="https://developer-mozilla-org.translate.goog/en-US/plus?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="submenu-item "> <div class="submenu-icon"></div> <div class="submenu-content-container"> <div class="submenu-item-heading"> Overview </div> <p class="submenu-item-description">A customized MDN experience</p> </div></a></li> <li class=" "><a href="https://developer-mozilla-org.translate.goog/en-US/plus/ai-help?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="submenu-item "> <div class="submenu-icon"></div> <div class="submenu-content-container"> <div class="submenu-item-heading"> AI Help </div> <p class="submenu-item-description">Get real-time assistance and support</p> </div></a></li> <li class=" "><a href="https://developer-mozilla-org.translate.goog/en-US/plus/updates?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="submenu-item "> <div class="submenu-icon"></div> <div class="submenu-content-container"> <div class="submenu-item-heading"> Updates </div> <p class="submenu-item-description">All browser compatibility updates at a glance</p> </div></a></li> <li class=" "><a href="https://developer-mozilla-org.translate.goog/en-US/plus/docs/features/overview?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="submenu-item "> <div class="submenu-icon"></div> <div class="submenu-content-container"> <div class="submenu-item-heading"> Documentation </div> <p class="submenu-item-description">Learn how to use MDN Plus</p> </div></a></li> <li class=" "><a href="https://developer-mozilla-org.translate.goog/en-US/plus/docs/faq?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="submenu-item "> <div class="submenu-icon"></div> <div class="submenu-content-container"> <div class="submenu-item-heading"> FAQ </div> <p class="submenu-item-description">Frequently asked questions about MDN Plus</p> </div></a></li> </ul></li> <li class="top-level-entry-container "><a class="top-level-entry menu-link" href="https://developer-mozilla-org.translate.goog/en-US/curriculum/?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">Curriculum <sup class="new">New</sup></a></li> <li class="top-level-entry-container "><a class="top-level-entry menu-link" href="https://developer-mozilla-org.translate.goog/en-US/blog/?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">Blog</a></li> <li class="top-level-entry-container "><button type="button" id="tools-button" class="top-level-entry menu-toggle" aria-controls="tools-menu" aria-expanded="false">Tools</button> <ul id="tools-menu" class="submenu tools hidden inline-submenu-lg" aria-labelledby="tools-button"> <li class=" "><a href="https://developer-mozilla-org.translate.goog/en-US/play?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="submenu-item "> <div class="submenu-icon"></div> <div class="submenu-content-container"> <div class="submenu-item-heading"> Playground </div> <p class="submenu-item-description">Write, test and share your code</p> </div></a></li> <li class=" "><a href="https://developer-mozilla-org.translate.goog/en-US/observatory?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="submenu-item "> <div class="submenu-icon"></div> <div class="submenu-content-container"> <div class="submenu-item-heading"> HTTP Observatory </div> <p class="submenu-item-description">Scan a website for free</p> </div></a></li> <li class=" "><a href="https://developer-mozilla-org.translate.goog/en-US/plus/ai-help?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="submenu-item "> <div class="submenu-icon"></div> <div class="submenu-content-container"> <div class="submenu-item-heading"> AI Help </div> <p class="submenu-item-description">Get real-time assistance and support</p> </div></a></li> </ul></li> </ul> </nav> <div class="header-search"> <form action="/en-US/search" class="search-form search-widget" id="top-nav-search-form" role="search"> <label id="top-nav-search-label" for="top-nav-search-input" class="visually-hidden">Search MDN</label><input aria-activedescendant="" aria-autocomplete="list" aria-controls="top-nav-search-menu" aria-expanded="false" aria-labelledby="top-nav-search-label" autocomplete="off" id="top-nav-search-input" role="combobox" type="search" class="search-input-field" name="q" placeholder=" " required value=""><button type="button" class="button action has-icon clear-search-button"><span class="button-wrap"><span class="icon icon-cancel "></span><span class="visually-hidden">Clear search input</span></span></button><button type="submit" class="button action has-icon search-button"><span class="button-wrap"><span class="icon icon-search "></span><span class="visually-hidden">Search</span></span></button> <div id="top-nav-search-menu" role="listbox" aria-labelledby="top-nav-search-label"></div> </form> </div> <div class="theme-switcher-menu"> <button type="button" class="button action has-icon theme-switcher-menu small" aria-haspopup="menu"><span class="button-wrap"><span class="icon icon-theme-os-default "></span>Theme</span></button> </div> <ul class="auth-container"> <li><a href="https://developer-mozilla-org.translate.goog/users/fxa/login/authenticate/?next=/en-US/docs/Web/HTTP/CORS&_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="login-link" rel="nofollow">Log in</a></li> <li><a href="https://developer-mozilla-org.translate.goog/users/fxa/login/authenticate/?next=/en-US/docs/Web/HTTP/CORS&_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" target="_self" rel="nofollow" class="button primary mdn-plus-subscribe-link"><span class="button-wrap">Sign up for free</span></a></li> </ul> </div> </div> </header> <div class="article-actions-container"> <div class="container"> <button type="button" class="button action has-icon sidebar-button" aria-label="Expand sidebar" aria-expanded="false" aria-controls="sidebar-quicklinks"><span class="button-wrap"><span class="icon icon-sidebar "></span></span></button> <nav class="breadcrumbs-container" aria-label="Breadcrumb"> <ol typeof="BreadcrumbList" vocab="https://schema.org/" aria-label="breadcrumbs"> <li property="itemListElement" typeof="ListItem"><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="breadcrumb" property="item" typeof="WebPage"><span property="name">References</span></a> <meta property="position" content="1"></li> <li property="itemListElement" typeof="ListItem"><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="breadcrumb" property="item" typeof="WebPage"><span property="name">HTTP</span></a> <meta property="position" content="2"></li> <li property="itemListElement" typeof="ListItem"><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="breadcrumb-current-page" property="item" typeof="WebPage"><span property="name">Cross-Origin Resource Sharing (CORS)</span></a> <meta property="position" content="3"></li> </ol> </nav> <div class="article-actions"> <button type="button" class="button action has-icon article-actions-toggle" aria-label="Article actions"><span class="button-wrap"><span class="icon icon-ellipses "></span><span class="article-actions-dialog-heading">Article Actions</span></span></button> <ul class="article-actions-entries"> <li class="article-actions-entry"> <div class="languages-switcher-menu open-on-focus-within"> <button id="languages-switcher-button" type="button" class="button action small has-icon languages-switcher-menu" aria-haspopup="menu"><span class="button-wrap"><span class="icon icon-language "></span>English (US)</span></button> <div class="hidden"> <ul class="submenu language-menu " aria-labelledby="language-menu-button"> <li class=" "> <form class="submenu-item locale-redirect-setting"> <div class="group"> <label class="switch"><input type="checkbox" name="locale-redirect"><span class="slider"></span><span class="label">Remember language</span></label><a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://github.com/orgs/mdn/discussions/739" rel="external noopener noreferrer" target="_blank" title="Enable this setting to automatically switch to this language when it's available. (Click to learn more.)"><span class="icon icon-question-mark "></span></a> </div> </form></li> <li class=" "><a data-locale="de" href="https://developer-mozilla-org.translate.goog/de/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="button submenu-item"><span>Deutsch</span><span title="Diese Übersetzung ist Teil eines Experiments."><span class="icon icon-experimental "></span></span></a></li> <li class=" "><a data-locale="es" href="https://developer-mozilla-org.translate.goog/es/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="button submenu-item"><span>Español</span></a></li> <li class=" "><a data-locale="fr" href="https://developer-mozilla-org.translate.goog/fr/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="button submenu-item"><span>Français</span></a></li> <li class=" "><a data-locale="ja" href="https://developer-mozilla-org.translate.goog/ja/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="button submenu-item"><span>日本語</span></a></li> <li class=" "><a data-locale="ko" href="https://developer-mozilla-org.translate.goog/ko/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="button submenu-item"><span>한국어</span></a></li> <li class=" "><a data-locale="pt-BR" href="https://developer-mozilla-org.translate.goog/pt-BR/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="button submenu-item"><span>Português (do Brasil)</span></a></li> <li class=" "><a data-locale="ru" href="https://developer-mozilla-org.translate.goog/ru/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="button submenu-item"><span>Русский</span></a></li> <li class=" "><a data-locale="zh-CN" href="https://developer-mozilla-org.translate.goog/zh-CN/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="button submenu-item"><span>中文 (简体)</span></a></li> <li class=" "><a data-locale="zh-TW" href="https://developer-mozilla-org.translate.goog/zh-TW/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="button submenu-item"><span>正體中文 (繁體)</span></a></li> </ul> </div> </div></li> </ul> </div> </div> </div> </div> <div class="main-wrapper"> <div class="sidebar-container"> <aside id="sidebar-quicklinks" class="sidebar"> <button type="button" class="button action backdrop" aria-label="Collapse sidebar"><span class="button-wrap"></span></button> <nav aria-label="Related Topics" class="sidebar-inner"> <header class="sidebar-actions"> <section class="sidebar-filter-container"> <div class="sidebar-filter "> <label id="sidebar-filter-label" class="sidebar-filter-label" for="sidebar-filter-input"><span class="icon icon-filter"></span><span class="visually-hidden">Filter sidebar</span></label><input id="sidebar-filter-input" autocomplete="off" class="sidebar-filter-input-field false" type="text" placeholder="Filter" value=""><button type="button" class="button action has-icon clear-sidebar-filter-button"><span class="button-wrap"><span class="icon icon-cancel "></span><span class="visually-hidden">Clear filter input</span></span></button> </div> </section> </header> <div class="sidebar-inner-nav"> <div class="in-nav-toc"> <div class="document-toc-container"> <section class="document-toc"> <header> <h2 class="document-toc-heading">In this article</h2> </header> <ul class="document-toc-list"> <li class="document-toc-item "><a class="document-toc-link" href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#what_requests_use_cors">What requests use CORS?</a></li> <li class="document-toc-item "><a class="document-toc-link" href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#functional_overview">Functional overview</a></li> <li class="document-toc-item "><a class="document-toc-link" href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#examples_of_access_control_scenarios">Examples of access control scenarios</a></li> <li class="document-toc-item "><a class="document-toc-link" href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#the_http_response_headers">The HTTP response headers</a></li> <li class="document-toc-item "><a class="document-toc-link" href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#the_http_request_headers">The HTTP request headers</a></li> <li class="document-toc-item "><a class="document-toc-link" href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#specifications">Specifications</a></li> <li class="document-toc-item "><a class="document-toc-link" href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#browser_compatibility">Browser compatibility</a></li> <li class="document-toc-item "><a class="document-toc-link" href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#see_also">See also</a></li> </ul> </section> </div> </div> <div class="sidebar-body"> <ol> <li class="section"><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">HTTP</a></li> <li class="section">Guides</li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Overview?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">An overview of HTTP</a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Session?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">A typical HTTP session</a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Messages?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">HTTP messages</a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/MIME_types?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">MIME types (IANA media types)</a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Compression?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">Compression in HTTP</a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Caching?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">HTTP caching</a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Authentication?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">HTTP authentication</a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Cookies?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">Using HTTP cookies</a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Redirections?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">Redirections in HTTP</a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Conditional_requests?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">HTTP conditional requests</a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Range_requests?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">HTTP range requests</a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Content_negotiation?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">Content negotiation</a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Connection_management_in_HTTP_1.x?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">Connection management in HTTP/1.x</a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Evolution_of_HTTP?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">Evolution of HTTP</a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Protocol_upgrade_mechanism?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">Protocol upgrade mechanism</a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">Proxy servers and tunneling</a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Client_hints?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">HTTP Client hints</a></li> <li class="toggle"> <details open> <summary>Security and privacy</summary> <ol> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/Security/Practical_implementation_guides?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">Practical security implementation guides</a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/observatory?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">HTTP Observatory</a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Permissions_Policy?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">Permissions Policy</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CSP?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">Content Security Policy (CSP)</a></li> <li><em><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" aria-current="page">Cross-Origin Resource Sharing (CORS)</a></em></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">Cross-Origin Resource Policy (CORP)</a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">Headers</a></li> </ol> </details></li> <li class="section">References</li> <li class="toggle"> <details> <summary>HTTP headers</summary> <ol> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Accept?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Accept</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Accept-CH?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Accept-CH</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Accept-Encoding?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Accept-Encoding</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Accept-Language?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Accept-Language</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Accept-Patch?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Accept-Patch</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Accept-Post?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Accept-Post</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Accept-Ranges?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Accept-Ranges</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Access-Control-Allow-Credentials</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Access-Control-Allow-Headers</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Access-Control-Allow-Methods</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Access-Control-Allow-Origin</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Access-Control-Expose-Headers</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Access-Control-Max-Age</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Access-Control-Request-Headers</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Access-Control-Request-Method</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Age?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Age</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Allow?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Allow</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Alt-Svc?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Alt-Svc</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Alt-Used?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Alt-Used</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Attribution-Reporting-Eligible?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Attribution-Reporting-Eligible</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Attribution-Reporting-Register-Source?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Attribution-Reporting-Register-Source</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Attribution-Reporting-Register-Trigger?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Attribution-Reporting-Register-Trigger</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Authorization?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Authorization</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Cache-Control?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Cache-Control</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Clear-Site-Data?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Clear-Site-Data</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Connection?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Connection</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Digest?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Content-Digest</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Disposition?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Content-Disposition</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-DPR?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Content-DPR</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Encoding?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Content-Encoding</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Language?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Content-Language</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Length?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Content-Length</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Location?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Content-Location</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Range?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Content-Range</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Content-Security-Policy</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Content-Security-Policy-Report-Only</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Type?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Content-Type</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Cookie?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Cookie</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Critical-CH?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Critical-CH</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Cross-Origin-Embedder-Policy</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Cross-Origin-Opener-Policy</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Cross-Origin-Resource-Policy</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Date?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Date</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Device-Memory?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Device-Memory</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/DNT?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>DNT</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Downlink?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Downlink</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/DPR?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>DPR</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Early-Data?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Early-Data</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/ECT?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>ECT</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/ETag?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>ETag</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Expect?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Expect</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Expect-CT?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Expect-CT</code></a><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Expires?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Expires</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Forwarded?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Forwarded</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/From?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>From</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Host?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Host</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/If-Match?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>If-Match</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/If-Modified-Since?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>If-Modified-Since</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/If-None-Match?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>If-None-Match</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/If-Range?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>If-Range</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>If-Unmodified-Since</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Keep-Alive?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Keep-Alive</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Last-Modified?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Last-Modified</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Link?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Link</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Location?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Location</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Max-Forwards?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Max-Forwards</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/NEL?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>NEL</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/No-Vary-Search?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>No-Vary-Search</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Observe-Browsing-Topics?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Observe-Browsing-Topics</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Origin?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Origin</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Origin-Agent-Cluster?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Origin-Agent-Cluster</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Pragma?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Pragma</code></a><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Priority?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Priority</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Proxy-Authenticate?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Proxy-Authenticate</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Proxy-Authorization?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Proxy-Authorization</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Range?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Range</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Referer?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Referer</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Referrer-Policy?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Referrer-Policy</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Refresh?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Refresh</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Report-To?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Report-To</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Reporting-Endpoints?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Reporting-Endpoints</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Repr-Digest?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Repr-Digest</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Retry-After?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Retry-After</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/RTT?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>RTT</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Save-Data?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Save-Data</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Sec-Browsing-Topics?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Sec-Browsing-Topics</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Sec-CH-Prefers-Color-Scheme?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Sec-CH-Prefers-Color-Scheme</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Sec-CH-Prefers-Reduced-Motion?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Sec-CH-Prefers-Reduced-Motion</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Sec-CH-Prefers-Reduced-Transparency?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Sec-CH-Prefers-Reduced-Transparency</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Sec-CH-UA?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Sec-CH-UA</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Arch?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Sec-CH-UA-Arch</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Bitness?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Sec-CH-UA-Bitness</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Form-Factors?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Sec-CH-UA-Form-Factors</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Full-Version?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Sec-CH-UA-Full-Version</code></a><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Full-Version-List?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Sec-CH-UA-Full-Version-List</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Mobile?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Sec-CH-UA-Mobile</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Model?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Sec-CH-UA-Model</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Platform?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Sec-CH-UA-Platform</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Platform-Version?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Sec-CH-UA-Platform-Version</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-WoW64?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Sec-CH-UA-WoW64</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Dest?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Sec-Fetch-Dest</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Mode?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Sec-Fetch-Mode</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Site?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Sec-Fetch-Site</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Sec-Fetch-User?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Sec-Fetch-User</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Sec-GPC?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Sec-GPC</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Sec-Purpose?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Sec-Purpose</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Accept?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Sec-WebSocket-Accept</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Extensions?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Sec-WebSocket-Extensions</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Key?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Sec-WebSocket-Key</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Protocol?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Sec-WebSocket-Protocol</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Version?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Sec-WebSocket-Version</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Server?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Server</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Server-Timing?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Server-Timing</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Service-Worker?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Service-Worker</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Service-Worker-Allowed?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Service-Worker-Allowed</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Service-Worker-Navigation-Preload?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Service-Worker-Navigation-Preload</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Set-Cookie?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Set-Cookie</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Set-Login?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Set-Login</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/SourceMap?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>SourceMap</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Speculation-Rules?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Speculation-Rules</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Strict-Transport-Security</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Supports-Loading-Mode?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Supports-Loading-Mode</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/TE?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>TE</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Timing-Allow-Origin</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Tk?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Tk</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Trailer?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Trailer</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Transfer-Encoding?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Transfer-Encoding</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Upgrade?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Upgrade</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Upgrade-Insecure-Requests?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Upgrade-Insecure-Requests</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/User-Agent?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>User-Agent</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Vary?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Vary</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Via?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Via</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Viewport-Width?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Viewport-Width</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Want-Content-Digest?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Want-Content-Digest</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Want-Repr-Digest?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Want-Repr-Digest</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Warning?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Warning</code></a><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Width?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Width</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/WWW-Authenticate?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>WWW-Authenticate</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>X-Content-Type-Options</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>X-DNS-Prefetch-Control</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/X-Forwarded-For?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>X-Forwarded-For</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>X-Forwarded-Host</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>X-Forwarded-Proto</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/X-Frame-Options?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>X-Frame-Options</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/X-Permitted-Cross-Domain-Policies?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>X-Permitted-Cross-Domain-Policies</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/X-Powered-By?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>X-Powered-By</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/X-Robots-Tag?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>X-Robots-Tag</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/X-XSS-Protection?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>X-XSS-Protection</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li> </ol> </details></li> <li class="toggle"> <details> <summary>HTTP request methods</summary> <ol> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Methods/CONNECT?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CONNECT</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Methods/DELETE?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>DELETE</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Methods/GET?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>GET</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Methods/HEAD?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>HEAD</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Methods/OPTIONS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>OPTIONS</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Methods/PATCH?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>PATCH</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Methods/POST?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>POST</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Methods/PUT?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>PUT</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Methods/TRACE?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>TRACE</code></a></li> </ol> </details></li> <li class="toggle"> <details> <summary>HTTP response status codes</summary> <ol> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/100?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>100 Continue</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/101?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>101 Switching Protocols</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/102?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>102 Processing</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/103?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>103 Early Hints</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/200?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>200 OK</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/201?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>201 Created</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/202?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>202 Accepted</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/203?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>203 Non-Authoritative Information</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/204?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>204 No Content</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/205?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>205 Reset Content</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/206?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>206 Partial Content</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/207?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>207 Multi-Status</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/208?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>208 Already Reported</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/226?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>226 IM Used</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/300?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>300 Multiple Choices</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/301?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>301 Moved Permanently</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/302?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>302 Found</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/303?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>303 See Other</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/304?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>304 Not Modified</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/307?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>307 Temporary Redirect</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/308?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>308 Permanent Redirect</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/400?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>400 Bad Request</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/401?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>401 Unauthorized</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/402?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>402 Payment Required</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/403?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>403 Forbidden</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/404?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>404 Not Found</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/405?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>405 Method Not Allowed</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/406?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>406 Not Acceptable</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/407?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>407 Proxy Authentication Required</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/408?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>408 Request Timeout</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/409?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>409 Conflict</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/410?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>410 Gone</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/411?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>411 Length Required</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/412?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>412 Precondition Failed</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/413?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>413 Content Too Large</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/414?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>414 URI Too Long</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/415?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>415 Unsupported Media Type</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/416?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>416 Range Not Satisfiable</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/417?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>417 Expectation Failed</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/418?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>418 I'm a teapot</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/421?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>421 Misdirected Request</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/422?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>422 Unprocessable Content</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/423?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>423 Locked</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/424?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>424 Failed Dependency</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/425?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>425 Too Early</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/426?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>426 Upgrade Required</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/428?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>428 Precondition Required</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/429?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>429 Too Many Requests</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/431?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>431 Request Header Fields Too Large</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/451?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>451 Unavailable For Legal Reasons</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/500?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>500 Internal Server Error</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/501?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>501 Not Implemented</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/502?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>502 Bad Gateway</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/503?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>503 Service Unavailable</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/504?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>504 Gateway Timeout</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/505?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>505 HTTP Version Not Supported</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/506?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>506 Variant Also Negotiates</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/507?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>507 Insufficient Storage</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/508?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>508 Loop Detected</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/510?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>510 Not Extended</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Status/511?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>511 Network Authentication Required</code></a></li> </ol> </details></li> <li class="toggle"> <details> <summary>CSP directives</summary> <ol> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: base-uri</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: block-all-mixed-content</code></a><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: child-src</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: connect-src</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: default-src</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/fenced-frame-src?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: fenced-frame-src</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: font-src</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: form-action</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: frame-ancestors</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: frame-src</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: img-src</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: manifest-src</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: media-src</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: object-src</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/prefetch-src?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: prefetch-src</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: report-to</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: report-uri</code></a><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: require-trusted-types-for</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: sandbox</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: script-src</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-attr?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: script-src-attr</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-elem?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: script-src-elem</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: style-src</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-attr?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: style-src-attr</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-elem?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: style-src-elem</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: trusted-types</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: upgrade-insecure-requests</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>CSP: worker-src</code></a></li> </ol> </details></li> <li class="toggle"> <details> <summary>CORS errors</summary> <ol> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS/Errors/CORSDisabled?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Reason: CORS disabled</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS/Errors/CORSAllowOriginNotMatchingOrigin?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz'</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS/Errors/CORSMissingAllowOrigin?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Reason: CORS header 'Access-Control-Allow-Origin' missing</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS/Errors/CORSOriginHeaderNotAdded?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Reason: CORS header 'Origin' cannot be added</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS/Errors/CORSPreflightDidNotSucceed?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Reason: CORS preflight channel did not succeed</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS/Errors/CORSDidNotSucceed?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Reason: CORS request did not succeed</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS/Errors/CORSExternalRedirectNotAllowed?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Reason: CORS request external redirect not allowed</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS/Errors/CORSRequestNotHttp?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Reason: CORS request not HTTP</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Reason: Credential is not supported if the CORS header 'Access-Control-Allow-Origin' is '*'</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS/Errors/CORSMethodNotFound?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Reason: Did not find method in CORS header 'Access-Control-Allow-Methods'</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS/Errors/CORSMIssingAllowCredentials?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Reason: expected 'true' in CORS header 'Access-Control-Allow-Credentials'</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS/Errors/CORSInvalidAllowHeader?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Headers'</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS/Errors/CORSInvalidAllowMethod?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Methods'</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS/Errors/CORSMissingAllowHeaderFromPreflight?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Reason: missing token 'xyz' in CORS header 'Access-Control-Allow-Headers' from CORS preflight channel</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS/Errors/CORSMultipleAllowOriginNotAllowed?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Reason: Multiple CORS header 'Access-Control-Allow-Origin' not allowed</code></a></li> </ol> </details></li> <li class="toggle"> <details> <summary>Permissions-Policy directives</summary> <ol> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/accelerometer?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: accelerometer</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/ambient-light-sensor?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: ambient-light-sensor</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/attribution-reporting?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: attribution-reporting</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/autoplay?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: autoplay</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/bluetooth?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: bluetooth</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/browsing-topics?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: browsing-topics</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/camera?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: camera</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/compute-pressure?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: compute-pressure</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/cross-origin-isolated?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: cross-origin-isolated</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/display-capture?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: display-capture</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/document-domain?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: document-domain</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/encrypted-media?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: encrypted-media</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/fullscreen?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: fullscreen</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/gamepad?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: gamepad</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/geolocation?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: geolocation</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/gyroscope?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: gyroscope</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/hid?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: hid</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/identity-credentials-get?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: identity-credentials-get</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/idle-detection?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: idle-detection</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/local-fonts?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: local-fonts</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/magnetometer?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: magnetometer</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/microphone?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: microphone</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/midi?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: midi</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/otp-credentials?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: otp-credentials</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/payment?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: payment</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/picture-in-picture?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: picture-in-picture</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-create?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: publickey-credentials-create</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-get?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: publickey-credentials-get</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/screen-wake-lock?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: screen-wake-lock</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/serial?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: serial</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/speaker-selection?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: speaker-selection</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/storage-access?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: storage-access</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/usb?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: usb</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/web-share?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: web-share</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/window-management?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: window-management</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Permissions-Policy/xr-spatial-tracking?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Permissions-Policy: xr-spatial-tracking</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li> </ol> </details></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Resources_and_specifications?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">HTTP resources and specifications</a></li> </ol> </div> </div> <section class="place side"></section> </nav> </aside> <div class="toc-container"> <aside class="toc"> <nav> <div class="document-toc-container"> <section class="document-toc"> <header> <h2 class="document-toc-heading">In this article</h2> </header> <ul class="document-toc-list"> <li class="document-toc-item "><a class="document-toc-link" href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#what_requests_use_cors">What requests use CORS?</a></li> <li class="document-toc-item "><a class="document-toc-link" href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#functional_overview">Functional overview</a></li> <li class="document-toc-item "><a class="document-toc-link" href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#examples_of_access_control_scenarios">Examples of access control scenarios</a></li> <li class="document-toc-item "><a class="document-toc-link" href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#the_http_response_headers">The HTTP response headers</a></li> <li class="document-toc-item "><a class="document-toc-link" href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#the_http_request_headers">The HTTP request headers</a></li> <li class="document-toc-item "><a class="document-toc-link" href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#specifications">Specifications</a></li> <li class="document-toc-item "><a class="document-toc-link" href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#browser_compatibility">Browser compatibility</a></li> <li class="document-toc-item "><a class="document-toc-link" href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#see_also">See also</a></li> </ul> </section> </div> </nav> </aside> <section class="place side"></section> </div> </div> <main id="content" class="main-content "> <article class="main-page-content" lang="en-US"> <header> <h1>Cross-Origin Resource Sharing (CORS)</h1> <details class="baseline-indicator high"> <summary><span class="indicator" role="img" aria-label="Baseline Check"></span> <div class="status-title"> Baseline<!-- --> <span class="not-bold">Widely available</span> </div> <div class="browsers"> <span class="engine" title="Supported in Chrome and Edge"><span class="browser chrome supported" role="img" aria-label="Chrome check"></span><span class="browser edge supported" role="img" aria-label="Edge check"></span></span><span class="engine" title="Supported in Firefox"><span class="browser firefox supported" role="img" aria-label="Firefox check"></span></span><span class="engine" title="Supported in Safari"><span class="browser safari supported" role="img" aria-label="Safari check"></span></span> </div><span class="icon icon-chevron "></span></summary> <div class="extra"> <p>This feature is well established and works across many devices and browser versions. It’s been available across browsers since<!-- --> <!-- -->July 2015<!-- -->.</p> <ul> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Glossary/Baseline/Compatibility?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" data-glean="baseline_link_learn_more" target="_blank" class="learn-more">Learn more</a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#browser_compatibility" data-glean="baseline_link_bcd_table">See full compatibility</a></li> <li><a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://survey.alchemer.com/s3/7634825/MDN-baseline-feedback?page%3D%252Fen-US%252Fdocs%252FWeb%252FHTTP%252FCORS%26level%3Dhigh" data-glean="baseline_link_feedback" class="feedback-link" target="_blank" rel="noreferrer">Report feedback</a></li> </ul> </div> </details> </header> <div class="section-content"> <p><strong>Cross-Origin Resource Sharing</strong> (<a href="https://developer-mozilla-org.translate.goog/en-US/docs/Glossary/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">CORS</a>) is an <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Glossary/HTTP?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">HTTP</a>-header based mechanism that allows a server to indicate any <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Glossary/Origin?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">origins</a> (domain, scheme, or port) other than its own from which a browser should permit loading resources. CORS also relies on a mechanism by which browsers make a "preflight" request to the server hosting the cross-origin resource, in order to check that the server will permit the actual request. In that preflight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request.</p> <p>An example of a cross-origin request: the front-end JavaScript code served from <code>https://domain-a.com</code> uses <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/API/Window/fetch?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" title="fetch()"><code>fetch()</code></a> to make a request for <code>https://domain-b.com/data.json</code>.</p> <p>For security reasons, browsers restrict cross-origin HTTP requests initiated from scripts. For example, <code>fetch()</code> and <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/API/XMLHttpRequest?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>XMLHttpRequest</code></a> follow the <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/Security/Same-origin_policy?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">same-origin policy</a>. This means that a web application using those APIs can only request resources from the same origin the application was loaded from unless the response from other origins includes the right CORS headers.</p> <p><img src="https://mdn.github.io/shared-assets/images/diagrams/http/cors/fetching-page-cors.svg" alt="Diagrammatic representation of CORS mechanism" loading="lazy"></p> <p>The CORS mechanism supports secure cross-origin requests and data transfers between browsers and servers. Browsers use CORS in APIs such as <code>fetch()</code> or <code>XMLHttpRequest</code> to mitigate the risks of cross-origin HTTP requests.</p> </div> <section aria-labelledby="what_requests_use_cors"> <h2 id="what_requests_use_cors"><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#what_requests_use_cors">What requests use CORS?</a></h2> <div class="section-content"> <p>This <a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://fetch.spec.whatwg.org/%23http-cors-protocol" class="external" target="_blank">cross-origin sharing standard</a> can enable cross-origin HTTP requests for:</p> <ul> <li>Invocations of <code>fetch()</code> or <code>XMLHttpRequest</code>, as discussed above.</li> <li>Web Fonts (for cross-domain font usage in <code>@font-face</code> within CSS), <a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://www.w3.org/TR/css-fonts-3/%23font-fetching-requirements" class="external" target="_blank">so that servers can deploy TrueType fonts that can only be loaded cross-origin and used by websites that are permitted to do so.</a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/API/WebGL_API/Tutorial/Using_textures_in_WebGL?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">WebGL textures</a>.</li> <li>Images/video frames drawn to a canvas using <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/API/CanvasRenderingContext2D/drawImage?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" title="drawImage()"><code>drawImage()</code></a>.</li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/CSS/CSS_shapes/Shapes_from_images?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">CSS Shapes from images.</a></li> </ul> <p>This is a general article about Cross-Origin Resource Sharing and includes a discussion of the necessary HTTP headers.</p> </div> </section> <section aria-labelledby="functional_overview"> <h2 id="functional_overview"><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#functional_overview">Functional overview</a></h2> <div class="section-content"> <p>The Cross-Origin Resource Sharing standard works by adding new <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">HTTP headers</a> that let servers describe which origins are permitted to read that information from a web browser. Additionally, for HTTP request methods that can cause side-effects on server data (in particular, HTTP methods other than <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Methods/GET?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>GET</code></a>, or <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Methods/POST?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>POST</code></a> with certain <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/MIME_types?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">MIME types</a>), the specification mandates that browsers "preflight" the request, soliciting supported methods from the server with the HTTP <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Methods/OPTIONS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>OPTIONS</code></a> request method, and then, upon "approval" from the server, sending the actual request. Servers can also inform clients whether "credentials" (such as <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Cookies?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">Cookies</a> and <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Authentication?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">HTTP Authentication</a>) should be sent with requests.</p> <p>CORS failures result in errors but for security reasons, specifics about the error <em>are not available to JavaScript</em>. All the code knows is that an error occurred. The only way to determine what specifically went wrong is to look at the browser's console for details.</p> <p>Subsequent sections discuss scenarios, as well as provide a breakdown of the HTTP headers used.</p> </div> </section> <section aria-labelledby="examples_of_access_control_scenarios"> <h2 id="examples_of_access_control_scenarios"><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#examples_of_access_control_scenarios">Examples of access control scenarios</a></h2> <div class="section-content"> <p>We present three scenarios that demonstrate how Cross-Origin Resource Sharing works. All these examples use <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/API/Window/fetch?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" title="fetch()"><code>fetch()</code></a>, which can make cross-origin requests in any supporting browser.</p> </div> </section> <section aria-labelledby="simple_requests"> <h3 id="simple_requests"><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#simple_requests">Simple requests</a></h3> <div class="section-content"> <p>Some requests don't trigger a <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Glossary/Preflight_request?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">CORS preflight</a>. Those are called <em>simple requests</em> from the obsolete <a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://www.w3.org/TR/2014/REC-cors-20140116/%23terminology" class="external" target="_blank">CORS spec</a>, though the <a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://fetch.spec.whatwg.org/" class="external" target="_blank">Fetch spec</a> (which now defines CORS) doesn't use that term.</p> <p>The motivation is that the <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTML/Element/form?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code><form></code></a> element from HTML 4.0 (which predates cross-site <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/API/Window/fetch?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" title="fetch()"><code>fetch()</code></a> and <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/API/XMLHttpRequest?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>XMLHttpRequest</code></a>) can submit simple requests to any origin, so anyone writing a server must already be protecting against <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Glossary/CSRF?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">cross-site request forgery</a> (CSRF). Under this assumption, the server doesn't have to opt-in (by responding to a preflight request) to receive any request that looks like a form submission, since the threat of CSRF is no worse than that of form submission. However, the server still must opt-in using <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Access-Control-Allow-Origin</code></a> to <em>share</em> the response with the script.</p> <p>A <em>simple request</em> is one that <strong>meets all the following conditions</strong>:</p> <ul> <li><p>One of the allowed methods:</p> <ul> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Methods/GET?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>GET</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Methods/HEAD?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>HEAD</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Methods/POST?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>POST</code></a></li> </ul></li> <li><p>Apart from the headers automatically set by the user agent (for example, <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Connection?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Connection</code></a>, <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/User-Agent?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>User-Agent</code></a>, or the <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Glossary/Forbidden_request_header?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">forbidden request headers</a>), the only headers which are allowed to be manually set are the <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Glossary/CORS-safelisted_request_header?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">CORS-safelisted request-headers</a>, which are:</p> <ul> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Accept?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Accept</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Accept-Language?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Accept-Language</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Language?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Content-Language</code></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Type?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Content-Type</code></a> (please note the additional requirements below)</li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Range?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Range</code></a> (only with a <a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://fetch.spec.whatwg.org/%23simple-range-header-value" class="external" target="_blank">simple range header value</a>; e.g., <code>bytes=256-</code> or <code>bytes=127-255</code>)</li> </ul></li> <li><p>The only type/subtype combinations allowed for the <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Glossary/MIME_type?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">media type</a> specified in the <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Type?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Content-Type</code></a> header are:</p> <ul> <li><code>application/x-www-form-urlencoded</code></li> <li><code>multipart/form-data</code></li> <li><code>text/plain</code></li> </ul></li> <li><p>If the request is made using an <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/API/XMLHttpRequest?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>XMLHttpRequest</code></a> object, no event listeners are registered on the object returned by the <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/API/XMLHttpRequest/upload?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>XMLHttpRequest.upload</code></a> property used in the request; that is, given an <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/API/XMLHttpRequest?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>XMLHttpRequest</code></a> instance <code>xhr</code>, no code has called <code>xhr.upload.addEventListener()</code> to add an event listener to monitor the upload.</p></li> <li><p>No <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/API/ReadableStream?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>ReadableStream</code></a> object is used in the request.</p></li> </ul> <div class="notecard note"> <p><strong>Note:</strong> WebKit Nightly and Safari Technology Preview place additional restrictions on the values allowed in the <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Accept?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Accept</code></a>, <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Accept-Language?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Accept-Language</code></a>, and <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Content-Language?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Content-Language</code></a> headers. If any of those headers have "nonstandard" values, WebKit/Safari does not consider the request to be a "simple request". What values WebKit/Safari consider "nonstandard" is not documented, except in the following WebKit bugs:</p> <ul> <li><a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://webkit.org/b/165178" class="external" target="_blank">Require preflight for non-standard CORS-safelisted request headers Accept, Accept-Language, and Content-Language</a></li> <li><a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://webkit.org/b/165566" class="external" target="_blank">Allow commas in Accept, Accept-Language, and Content-Language request headers for simple CORS</a></li> <li><a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://webkit.org/b/166363" class="external" target="_blank">Switch to a blacklist model for restricted Accept headers in simple CORS requests</a></li> </ul> <p>No other browsers implement these extra restrictions because they're not part of the spec.</p> </div> <p>For example, suppose web content at <code>https://foo.example</code> wishes to fetch JSON content from domain <code>https://bar.other</code>. Code of this sort might be used in JavaScript deployed on <code>foo.example</code>:</p> <div class="code-example"> <div class="example-header"> <span class="language-name">js</span> </div> <pre class="brush: js notranslate"><code>const fetchPromise = fetch("https://bar.other"); fetchPromise .then((response) => response.json()) .then((data) => { console.log(data); }); </code></pre> </div> <p>This operation performs a simple exchange between the client and the server, using CORS headers to handle the privileges:</p> <p><img src="https://mdn.github.io/shared-assets/images/diagrams/http/cors/simple-request.svg" alt="Diagram of simple CORS GET request" loading="lazy"></p> <p>Let's look at what the browser will send to the server in this case:</p> <div class="code-example"> <div class="example-header"> <span class="language-name">http</span> </div> <pre class="brush: http notranslate"><code>GET /resources/public-data/ HTTP/1.1 Host: bar.other User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Connection: keep-alive Origin: https://foo.example </code></pre> </div> <p>The request header of note is <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Origin?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Origin</code></a>, which shows that the invocation is coming from <code>https://foo.example</code>.</p> <p>Now let's see how the server responds:</p> <div class="code-example"> <div class="example-header"> <span class="language-name">http</span> </div> <pre class="brush: http notranslate"><code>HTTP/1.1 200 OK Date: Mon, 01 Dec 2008 00:23:53 GMT Server: Apache/2 Access-Control-Allow-Origin: * Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: application/xml […XML Data…] </code></pre> </div> <p>In response, the server returns a <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Access-Control-Allow-Origin</code></a> header with <code>Access-Control-Allow-Origin: *</code>, which means that the resource can be accessed by <strong>any</strong> origin.</p> <div class="code-example"> <div class="example-header"> <span class="language-name">http</span> </div> <pre class="brush: http notranslate"><code>Access-Control-Allow-Origin: * </code></pre> </div> <p>This pattern of the <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Origin?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Origin</code></a> and <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Access-Control-Allow-Origin</code></a> headers is the simplest use of the access control protocol. If the resource owners at <code>https://bar.other</code> wished to restrict access to the resource to requests <em>only</em> from <code>https://foo.example</code> (i.e., no domain other than <code>https://foo.example</code> can access the resource in a cross-origin manner), they would send:</p> <div class="code-example"> <div class="example-header"> <span class="language-name">http</span> </div> <pre class="brush: http notranslate"><code>Access-Control-Allow-Origin: https://foo.example </code></pre> </div> <div class="notecard note"> <p><strong>Note:</strong> When responding to a <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#requests_with_credentials">credentialed requests</a> request, the server <strong>must</strong> specify an origin in the value of the <code>Access-Control-Allow-Origin</code> header, instead of specifying the <code>*</code> wildcard.</p> </div> </div> </section> <section aria-labelledby="preflighted_requests"> <h3 id="preflighted_requests"><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#preflighted_requests">Preflighted requests</a></h3> <div class="section-content"> <p>Unlike <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#simple_requests"><em>simple requests</em></a>, for "preflighted" requests the browser first sends an HTTP request using the <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Methods/OPTIONS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>OPTIONS</code></a> method to the resource on the other origin, in order to determine if the actual request is safe to send. Such cross-origin requests are preflighted since they may have implications for user data.</p> <p>The following is an example of a request that will be preflighted:</p> <div class="code-example"> <div class="example-header"> <span class="language-name">js</span> </div> <pre class="brush: js notranslate"><code>const fetchPromise = fetch("https://bar.other/doc", { method: "POST", mode: "cors", headers: { "Content-Type": "text/xml", "X-PINGOTHER": "pingpong", }, body: "<person><name>Arun</name></person>", }); fetchPromise.then((response) => { console.log(response.status); }); </code></pre> </div> <p>The example above creates an XML body to send with the <code>POST</code> request. Also, a non-standard HTTP <code>X-PINGOTHER</code> request header is set. Such headers are not part of HTTP/1.1, but are generally useful to web applications. Since the request uses a <code>Content-Type</code> of <code>text/xml</code>, and since a custom header is set, this request is preflighted.</p> <p><img src="https://mdn.github.io/shared-assets/images/diagrams/http/cors/preflight-correct.svg" alt="Diagram of a request that is preflighted" loading="lazy"></p> <div class="notecard note"> <p><strong>Note:</strong> As described below, the actual <code>POST</code> request does not include the <code>Access-Control-Request-*</code> headers; they are needed only for the <code>OPTIONS</code> request.</p> </div> <p>Let's look at the full exchange between client and server. The first exchange is the <em>preflight request/response</em>:</p> <div class="code-example"> <div class="example-header"> <span class="language-name">http</span> </div> <pre class="brush: http notranslate"><code>OPTIONS /doc HTTP/1.1 Host: bar.other User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Connection: keep-alive Origin: https://foo.example Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type,x-pingother HTTP/1.1 204 No Content Date: Mon, 01 Dec 2008 01:15:39 GMT Server: Apache/2 Access-Control-Allow-Origin: https://foo.example Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X-PINGOTHER, Content-Type Access-Control-Max-Age: 86400 Vary: Accept-Encoding, Origin Keep-Alive: timeout=2, max=100 Connection: Keep-Alive </code></pre> </div> <p>The first block above represents the preflight request with the <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Methods/OPTIONS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>OPTIONS</code></a> method. The browser determines that it needs to send this based on the request parameters that the JavaScript code snippet above was using, so that the server can respond whether it is acceptable to send the request with the actual request parameters. OPTIONS is an HTTP/1.1 method that is used to determine further information from servers, and is a <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Glossary/Safe/HTTP?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">safe</a> method, meaning that it can't be used to change the resource. Note that along with the OPTIONS request, two other request headers are sent:</p> <div class="code-example"> <div class="example-header"> <span class="language-name">http</span> </div> <pre class="brush: http notranslate"><code>Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type,x-pingother </code></pre> </div> <p>The <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Access-Control-Request-Method</code></a> header notifies the server as part of a preflight request that when the actual request is sent, it will do so with a <code>POST</code> request method. The <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Access-Control-Request-Headers</code></a> header notifies the server that when the actual request is sent, it will do so with <code>X-PINGOTHER</code> and <code>Content-Type</code> custom headers. Now the server has an opportunity to determine whether it can accept a request under these conditions.</p> <p>The second block above is the response that the server returns, which indicate that the request method (<code>POST</code>) and request headers (<code>X-PINGOTHER</code>) are acceptable. Let's have a closer look at the following lines:</p> <div class="code-example"> <div class="example-header"> <span class="language-name">http</span> </div> <pre class="brush: http notranslate"><code>Access-Control-Allow-Origin: https://foo.example Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X-PINGOTHER, Content-Type Access-Control-Max-Age: 86400 </code></pre> </div> <p>The server responds with <code>Access-Control-Allow-Origin: https://foo.example</code>, restricting access to the requesting origin domain only. It also responds with <code>Access-Control-Allow-Methods</code>, which says that <code>POST</code> and <code>GET</code> are valid methods to query the resource in question (this header is similar to the <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Allow?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Allow</code></a> response header, but used strictly within the context of access control).</p> <p>The server also sends <code>Access-Control-Allow-Headers</code> with a value of <code>X-PINGOTHER, Content-Type</code>, confirming that these are permitted headers to be used with the actual request. Like <code>Access-Control-Allow-Methods</code>, <code>Access-Control-Allow-Headers</code> is a comma-separated list of acceptable headers.</p> <p>Finally, <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Access-Control-Max-Age</code></a> gives the value in seconds for how long the response to the preflight request can be cached without sending another preflight request. The default value is 5 seconds. In the present case, the max age is 86400 seconds (= 24 hours). Note that each browser has a <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">maximum internal value</a> that takes precedence when the <code>Access-Control-Max-Age</code> exceeds it.</p> <p>Once the preflight request is complete, the real request is sent:</p> <div class="code-example"> <div class="example-header"> <span class="language-name">http</span> </div> <pre class="brush: http notranslate"><code>POST /doc HTTP/1.1 Host: bar.other User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Connection: keep-alive X-PINGOTHER: pingpong Content-Type: text/xml; charset=UTF-8 Referer: https://foo.example/examples/preflightInvocation.html Content-Length: 55 Origin: https://foo.example Pragma: no-cache Cache-Control: no-cache <person><name>Arun</name></person> HTTP/1.1 200 OK Date: Mon, 01 Dec 2008 01:15:40 GMT Server: Apache/2 Access-Control-Allow-Origin: https://foo.example Vary: Accept-Encoding, Origin Content-Encoding: gzip Content-Length: 235 Keep-Alive: timeout=2, max=99 Connection: Keep-Alive Content-Type: text/plain [Some XML content] </code></pre> </div> <h4 id="preflighted_requests_and_redirects">Preflighted requests and redirects</h4> <p>Not all browsers currently support following redirects after a preflighted request. If a redirect occurs after such a request, some browsers currently will report an error message such as the following:</p> <blockquote> <p>The request was redirected to <code>https://example.com/foo</code>, which is disallowed for cross-origin requests that require preflight. Request requires preflight, which is disallowed to follow cross-origin redirects.</p> </blockquote> <p>The CORS protocol originally required that behavior but <a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://github.com/whatwg/fetch/commit/0d9a4db8bc02251cc9e391543bb3c1322fb882f2" class="external" target="_blank">was subsequently changed to no longer require it</a>. However, not all browsers have implemented the change, and thus still exhibit the originally required behavior.</p> <p>Until browsers catch up with the spec, you may be able to work around this limitation by doing one or both of the following:</p> <ul> <li>Change the server-side behavior to avoid the preflight and/or to avoid the redirect</li> <li>Change the request such that it is a <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#simple_requests">simple request</a> that doesn't cause a preflight</li> </ul> <p>If that's not possible, then another way is to:</p> <ol> <li>Make a <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#simple_requests">simple request</a> (using <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/API/Response/url?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Response.url</code></a> for the Fetch API, or <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/API/XMLHttpRequest/responseURL?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>XMLHttpRequest.responseURL</code></a>) to determine what URL the real preflighted request would end up at.</li> <li>Make another request (the <em>real</em> request) using the URL you obtained from <code>Response.url</code> or <code>XMLHttpRequest.responseURL</code> in the first step.</li> </ol> <p>However, if the request is one that triggers a preflight due to the presence of the <code>Authorization</code> header in the request, you won't be able to work around the limitation using the steps above. And you won't be able to work around it at all unless you have control over the server the request is being made to.</p> </div> </section> <section aria-labelledby="requests_with_credentials"> <h3 id="requests_with_credentials"><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#requests_with_credentials">Requests with credentials</a></h3> <div class="section-content"> <div class="notecard note"> <p><strong>Note:</strong> When making credentialed requests to a different domain, third-party cookie policies will still apply. The policy is always enforced regardless of any setup on the server and the client as described in this chapter.</p> </div> <p>The most interesting capability exposed by both <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/API/Window/fetch?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" title="fetch()"><code>fetch()</code></a> or <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/API/XMLHttpRequest?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>XMLHttpRequest</code></a> and CORS is the ability to make "credentialed" requests that are aware of <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Cookies?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">HTTP cookies</a> and HTTP Authentication information. By default, in cross-origin <code>fetch()</code> or <code>XMLHttpRequest</code> calls, browsers will <em>not</em> send credentials.</p> <p>To ask for a <code>fetch()</code> request to include credentials, set the <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/API/RequestInit?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#credentials"><code>credentials</code></a> option to <code>"include"</code>.</p> <p>To ask for an <code>XMLHttpRequest</code> request to include credentials, set the <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/API/XMLHttpRequest/withCredentials?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>XMLHttpRequest.withCredentials</code></a> property to <code>true</code>.</p> <p>In this example, content originally loaded from <code>https://foo.example</code> makes a simple GET request to a resource on <code>https://bar.other</code> which sets Cookies. Content on foo.example might contain JavaScript like this:</p> <div class="code-example"> <div class="example-header"> <span class="language-name">js</span> </div> <pre class="brush: js notranslate"><code>const url = "https://bar.other/resources/credentialed-content/"; const request = new Request(url, { credentials: "include" }); const fetchPromise = fetch(request); fetchPromise.then((response) => console.log(response)); </code></pre> </div> <p>This code creates a <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/API/Request?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Request</code></a> object, setting the <code>credentials</code> option to <code>"include"</code> in the constructor, then passes this request into <code>fetch()</code>. Since this is a simple <code>GET</code> request, it is not preflighted but the browser will <strong>reject</strong> any response that does not have the <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Access-Control-Allow-Credentials</code></a><code>: true</code> header, and <strong>not</strong> make the response available to the invoking web content.</p> <p><img src="https://mdn.github.io/shared-assets/images/diagrams/http/cors/include-credentials.svg" alt="Diagram of a simple GET request with Access-Control-Allow-Credentials" loading="lazy"></p> <p>Here is a sample exchange between client and server:</p> <div class="code-example"> <div class="example-header"> <span class="language-name">http</span> </div> <pre class="brush: http notranslate"><code>GET /resources/credentialed-content/ HTTP/1.1 Host: bar.other User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Connection: keep-alive Referer: https://foo.example/examples/credential.html Origin: https://foo.example Cookie: pageAccess=2 HTTP/1.1 200 OK Date: Mon, 01 Dec 2008 01:34:52 GMT Server: Apache/2 Access-Control-Allow-Origin: https://foo.example Access-Control-Allow-Credentials: true Cache-Control: no-cache Pragma: no-cache Set-Cookie: pageAccess=3; expires=Wed, 31-Dec-2008 01:34:53 GMT Vary: Accept-Encoding, Origin Content-Encoding: gzip Content-Length: 106 Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: text/plain [text/plain content] </code></pre> </div> <p>Although the request's <code>Cookie</code> header contains the cookie destined for the content on <code>https://bar.other</code>, if bar.other did not respond with an <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Access-Control-Allow-Credentials</code></a> with value <code>true</code>, as demonstrated in this example, the response would be ignored and not made available to the web content.</p> <h4 id="preflight_requests_and_credentials">Preflight requests and credentials</h4> <p>CORS-preflight requests must never include credentials. The <em>response</em> to a preflight request must specify <code>Access-Control-Allow-Credentials: true</code> to indicate that the actual request can be made with credentials.</p> <div class="notecard note"> <p><strong>Note:</strong> Some enterprise authentication services require that TLS client certificates be sent in preflight requests, in contravention of the <a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://fetch.spec.whatwg.org/%23cors-protocol-and-credentials" class="external" target="_blank">Fetch</a> specification.</p> <p>Firefox 87 allows this non-compliant behavior to be enabled by setting the preference: <code>network.cors_preflight.allow_client_cert</code> to <code>true</code> (<a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://bugzil.la/1511151" class="external" target="_blank">Firefox bug 1511151</a>). Chromium-based browsers currently always send TLS client certificates in CORS preflight requests (<a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://crbug.com/775438" class="external" target="_blank">Chrome bug 775438</a>).</p> </div> <h4 id="credentialed_requests_and_wildcards">Credentialed requests and wildcards</h4> <p>When responding to a credentialed request:</p> <ul> <li>The server <strong>must not</strong> specify the <code>*</code> wildcard for the <code>Access-Control-Allow-Origin</code> response-header value, but must instead specify an explicit origin; for example: <code>Access-Control-Allow-Origin: https://example.com</code></li> <li>The server <strong>must not</strong> specify the <code>*</code> wildcard for the <code>Access-Control-Allow-Headers</code> response-header value, but must instead specify an explicit list of header names; for example, <code>Access-Control-Allow-Headers: X-PINGOTHER, Content-Type</code></li> <li>The server <strong>must not</strong> specify the <code>*</code> wildcard for the <code>Access-Control-Allow-Methods</code> response-header value, but must instead specify an explicit list of method names; for example, <code>Access-Control-Allow-Methods: POST, GET</code></li> <li>The server <strong>must not</strong> specify the <code>*</code> wildcard for the <code>Access-Control-Expose-Headers</code> response-header value, but must instead specify an explicit list of header names; for example, <code>Access-Control-Expose-Headers: Content-Encoding, Kuma-Revision</code></li> </ul> <p>If a request includes a credential (most commonly a <code>Cookie</code> header) and the response includes an <code>Access-Control-Allow-Origin: *</code> header (that is, with the wildcard), the browser will block access to the response, and report a CORS error in the devtools console.</p> <p>But if a request does include a credential (like the <code>Cookie</code> header) and the response includes an actual origin rather than the wildcard (like, for example, <code>Access-Control-Allow-Origin: https://example.com</code>), then the browser will allow access to the response from the specified origin.</p> <p>Also note that any <code>Set-Cookie</code> response header in a response would not set a cookie if the <code>Access-Control-Allow-Origin</code> value in that response is the <code>*</code> wildcard rather an actual origin.</p> <h4 id="third-party_cookies">Third-party cookies</h4> <p>Note that cookies set in CORS responses are subject to normal third-party cookie policies. In the example above, the page is loaded from <code>foo.example</code> but the <code>Cookie</code> header in the response is sent by <code>bar.other</code>, and would thus not be saved if the user's browser is configured to reject all third-party cookies.</p> <p>Cookie in the request may also be suppressed in normal third-party cookie policies. The enforced cookie policy may therefore nullify the capability described in this chapter, effectively preventing you from making credentialed requests whatsoever.</p> <p>Cookie policy around the <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Set-Cookie?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#samesitesamesite-value">SameSite</a> attribute would apply.</p> </div> </section> <section aria-labelledby="the_http_response_headers"> <h2 id="the_http_response_headers"><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#the_http_response_headers">The HTTP response headers</a></h2> <div class="section-content"> <p>This section lists the HTTP response headers that servers return for access control requests as defined by the Cross-Origin Resource Sharing specification. The previous section gives an overview of these in action.</p> </div> </section> <section aria-labelledby="access-control-allow-origin"> <h3 id="access-control-allow-origin"><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#access-control-allow-origin">Access-Control-Allow-Origin</a></h3> <div class="section-content"> <p>A returned resource may have one <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Access-Control-Allow-Origin</code></a> header with the following syntax:</p> <div class="code-example"> <div class="example-header"> <span class="language-name">http</span> </div> <pre class="brush: http notranslate"><code>Access-Control-Allow-Origin: <origin> | * </code></pre> </div> <p><code>Access-Control-Allow-Origin</code> specifies either a single origin which tells browsers to allow that origin to access the resource; or else — for requests <strong>without</strong> credentials — the <code>*</code> wildcard tells browsers to allow any origin to access the resource.</p> <p>For example, to allow code from the origin <code>https://mozilla.org</code> to access the resource, you can specify:</p> <div class="code-example"> <div class="example-header"> <span class="language-name">http</span> </div> <pre class="brush: http notranslate"><code>Access-Control-Allow-Origin: https://mozilla.org Vary: Origin </code></pre> </div> <p>If the server specifies a single origin (that may dynamically change based on the requesting origin as part of an allowlist) rather than the <code>*</code> wildcard, then the server should also include <code>Origin</code> in the <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Vary?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Vary</code></a> response header to indicate to clients that server responses will differ based on the value of the <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Origin?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Origin</code></a> request header.</p> </div> </section> <section aria-labelledby="access-control-expose-headers"> <h3 id="access-control-expose-headers"><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#access-control-expose-headers">Access-Control-Expose-Headers</a></h3> <div class="section-content"> <p>The <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Access-Control-Expose-Headers</code></a> header adds the specified headers to the allowlist that JavaScript (such as <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/API/Response/headers?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Response.headers</code></a>) in browsers is allowed to access.</p> <div class="code-example"> <div class="example-header"> <span class="language-name">http</span> </div> <pre class="brush: http notranslate"><code>Access-Control-Expose-Headers: <header-name>[, <header-name>]* </code></pre> </div> <p>For example, the following:</p> <div class="code-example"> <div class="example-header"> <span class="language-name">http</span> </div> <pre class="brush: http notranslate"><code>Access-Control-Expose-Headers: X-My-Custom-Header, X-Another-Custom-Header </code></pre> </div> <p>…would allow the <code>X-My-Custom-Header</code> and <code>X-Another-Custom-Header</code> headers to be exposed to the browser.</p> </div> </section> <section aria-labelledby="access-control-max-age"> <h3 id="access-control-max-age"><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#access-control-max-age">Access-Control-Max-Age</a></h3> <div class="section-content"> <p>The <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Access-Control-Max-Age</code></a> header indicates how long the results of a preflight request can be cached. For an example of a preflight request, see the above examples.</p> <div class="code-example"> <div class="example-header"> <span class="language-name">http</span> </div> <pre class="brush: http notranslate"><code>Access-Control-Max-Age: <delta-seconds> </code></pre> </div> <p>The <code>delta-seconds</code> parameter indicates the number of seconds the results can be cached.</p> </div> </section> <section aria-labelledby="access-control-allow-credentials"> <h3 id="access-control-allow-credentials"><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#access-control-allow-credentials">Access-Control-Allow-Credentials</a></h3> <div class="section-content"> <p>The <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Access-Control-Allow-Credentials</code></a> header indicates whether or not the response to the request can be exposed when the <code>credentials</code> flag is true. When used as part of a response to a preflight request, this indicates whether or not the actual request can be made using credentials. Note that simple <code>GET</code> requests are not preflighted, and so if a request is made for a resource with credentials, if this header is not returned with the resource, the response is ignored by the browser and not returned to web content.</p> <div class="code-example"> <div class="example-header"> <span class="language-name">http</span> </div> <pre class="brush: http notranslate"><code>Access-Control-Allow-Credentials: true </code></pre> </div> <p><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#requests_with_credentials">Credentialed requests</a> are discussed above.</p> </div> </section> <section aria-labelledby="access-control-allow-methods"> <h3 id="access-control-allow-methods"><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#access-control-allow-methods">Access-Control-Allow-Methods</a></h3> <div class="section-content"> <p>The <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Access-Control-Allow-Methods</code></a> header specifies the method or methods allowed when accessing the resource. This is used in response to a preflight request. The conditions under which a request is preflighted are discussed above.</p> <div class="code-example"> <div class="example-header"> <span class="language-name">http</span> </div> <pre class="brush: http notranslate"><code>Access-Control-Allow-Methods: <method>[, <method>]* </code></pre> </div> <p>An example of a <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Glossary/Preflight_request?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">preflight request</a> is given above, including an example which sends this header to the browser.</p> </div> </section> <section aria-labelledby="access-control-allow-headers"> <h3 id="access-control-allow-headers"><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#access-control-allow-headers">Access-Control-Allow-Headers</a></h3> <div class="section-content"> <p>The <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Access-Control-Allow-Headers</code></a> header is used in response to a <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Glossary/Preflight_request?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">preflight request</a> to indicate which HTTP headers can be used when making the actual request. This header is the server side response to the browser's <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Access-Control-Request-Headers</code></a> header.</p> <div class="code-example"> <div class="example-header"> <span class="language-name">http</span> </div> <pre class="brush: http notranslate"><code>Access-Control-Allow-Headers: <header-name>[, <header-name>]* </code></pre> </div> </div> </section> <section aria-labelledby="the_http_request_headers"> <h2 id="the_http_request_headers"><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#the_http_request_headers">The HTTP request headers</a></h2> <div class="section-content"> <p>This section lists headers that clients may use when issuing HTTP requests in order to make use of the cross-origin sharing feature. Note that these headers are set for you when making invocations to servers. Developers making cross-origin requests do not have to set any cross-origin sharing request headers programmatically.</p> </div> </section> <section aria-labelledby="origin"> <h3 id="origin"><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#origin">Origin</a></h3> <div class="section-content"> <p>The <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Origin?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Origin</code></a> header indicates the origin of the cross-origin access request or preflight request.</p> <div class="code-example"> <div class="example-header"> <span class="language-name">http</span> </div> <pre class="brush: http notranslate"><code>Origin: <origin> </code></pre> </div> <p>The origin is a URL indicating the server from which the request is initiated. It does not include any path information, only the server name.</p> <div class="notecard note"> <p><strong>Note:</strong> The <code>origin</code> value can be <code>null</code>.</p> </div> <p>Note that in any access control request, the <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Origin?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Origin</code></a> header is <strong>always</strong> sent.</p> </div> </section> <section aria-labelledby="access-control-request-method"> <h3 id="access-control-request-method"><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#access-control-request-method">Access-Control-Request-Method</a></h3> <div class="section-content"> <p>The <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Access-Control-Request-Method</code></a> is used when issuing a preflight request to let the server know what HTTP method will be used when the actual request is made.</p> <div class="code-example"> <div class="example-header"> <span class="language-name">http</span> </div> <pre class="brush: http notranslate"><code>Access-Control-Request-Method: <method> </code></pre> </div> <p>Examples of this usage can be <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#preflighted_requests">found above.</a></p> </div> </section> <section aria-labelledby="access-control-request-headers"> <h3 id="access-control-request-headers"><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#access-control-request-headers">Access-Control-Request-Headers</a></h3> <div class="section-content"> <p>The <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Access-Control-Request-Headers</code></a> header is used when issuing a preflight request to let the server know what HTTP headers will be used when the actual request is made (for example, by passing them as the <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/API/RequestInit?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#headers"><code>headers</code></a> option). This browser-side header will be answered by the complementary server-side header of <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>Access-Control-Allow-Headers</code></a>.</p> <div class="code-example"> <div class="example-header"> <span class="language-name">http</span> </div> <pre class="brush: http notranslate"><code>Access-Control-Request-Headers: <field-name>[,<field-name>]* </code></pre> </div> <p>Examples of this usage can be <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#preflighted_requests">found above</a>.</p> </div> </section> <h2 id="specifications"><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#specifications">Specifications</a></h2> <table class="standard-table"> <thead> <tr> <th scope="col">Specification</th> </tr> </thead> <tbody> <tr> <td><a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://fetch.spec.whatwg.org/%23http-access-control-allow-origin">Fetch<!-- --> <br><small># <!-- -->http-access-control-allow-origin</small></a></td> </tr> </tbody> </table> <h2 id="browser_compatibility"><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#browser_compatibility">Browser compatibility</a></h2> <p>BCD tables only load in the browser <noscript><!-- -->with JavaScript enabled. Enable JavaScript to view data. </noscript></p> <section aria-labelledby="see_also"> <h2 id="see_also"><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB#see_also">See also</a></h2> <div class="section-content"> <ul> <li><p><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS/Errors?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">CORS errors</a></p></li> <li><p><a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://enable-cors.org/server.html" class="external" target="_blank">Enable CORS: I want to add CORS support to my server</a></p></li> <li><p><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/API/Fetch_API?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">Fetch API</a></p></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/API/XMLHttpRequest?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB"><code>XMLHttpRequest</code></a></li> <li><p><a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://httptoolkit.com/will-it-cors/" class="external" target="_blank">Will it CORS?</a> - an interactive CORS explainer & generator</p></li> <li><p><a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://alfilatov.com/posts/run-chrome-without-cors/" class="external" target="_blank">How to run Chrome browser without CORS</a></p></li> <li><p><a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://www.telerik.com/blogs/using-cors-with-all-modern-browsers" class="external" target="_blank">Using CORS with All (Modern) Browsers</a></p></li> <li><p><a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://stackoverflow.com/questions/43871637/no-access-control-allow-origin-header-is-present-on-the-requested-resource-whe/43881141%2343881141" class="external" target="_blank">Stack Overflow answer with "how to" info for dealing with common problems</a>:</p> <ul> <li>How to avoid the CORS preflight</li> <li>How to use a CORS proxy to get around <em>"No Access-Control-Allow-Origin header"</em></li> <li>How to fix <em>"Access-Control-Allow-Origin header must not be the wildcard"</em></li> </ul></li> </ul> </div> </section> </article> <aside class="article-footer"> <div class="article-footer-inner"> <div class="svg-container"> <svg xmlns="http://www.w3.org/2000/svg" width="162" height="162" viewbox="0 0 162 162" fill="none" role="none"> <mask id="b" fill="#fff"> <path d="M97.203 47.04c8.113-7.886 18.004-13.871 28.906-17.492a78 78 0 0 1 33.969-3.39c11.443 1.39 22.401 5.295 32.024 11.411s17.656 14.28 23.476 23.86c5.819 9.579 9.269 20.318 10.083 31.385a69.85 69.85 0 0 1-5.387 32.44c-4.358 10.272-11.115 19.443-19.747 26.801-8.632 7.359-18.908 12.709-30.034 15.637l-6.17-21.698c7.666-2.017 14.746-5.703 20.694-10.773 5.948-5.071 10.603-11.389 13.606-18.467a48.14 48.14 0 0 0 3.712-22.352c-.561-7.625-2.938-15.025-6.948-21.625s-9.544-12.226-16.175-16.44-14.181-6.904-22.065-7.863a53.75 53.75 0 0 0-23.405 2.336c-7.513 2.495-14.327 6.62-19.918 12.053z"></path> </mask><path stroke="url(#a)" stroke-dasharray="6, 6" stroke-width="2" d="M97.203 47.04c8.113-7.886 18.004-13.871 28.906-17.492a78 78 0 0 1 33.969-3.39c11.443 1.39 22.401 5.295 32.024 11.411s17.656 14.28 23.476 23.86c5.819 9.579 9.269 20.318 10.083 31.385a69.85 69.85 0 0 1-5.387 32.44c-4.358 10.272-11.115 19.443-19.747 26.801-8.632 7.359-18.908 12.709-30.034 15.637l-6.17-21.698c7.666-2.017 14.746-5.703 20.694-10.773 5.948-5.071 10.603-11.389 13.606-18.467a48.14 48.14 0 0 0 3.712-22.352c-.561-7.625-2.938-15.025-6.948-21.625s-9.544-12.226-16.175-16.44-14.181-6.904-22.065-7.863a53.75 53.75 0 0 0-23.405 2.336c-7.513 2.495-14.327 6.62-19.918 12.053z" mask="url(#b)" style="stroke:url(#a)" transform="translate(-63.992 -25.587)"></path><ellipse cx="8.066" cy="111.597" fill="var(--background-tertiary)" rx="53.677" ry="53.699" transform="matrix(.71707 -.697 .7243 .6895 0 0)"></ellipse><g clip-path="url(#c)" transform="translate(-63.992 -25.587)"> <path fill="#9abff5" d="m144.256 137.379 32.906 12.434a4.41 4.41 0 0 1 2.559 5.667l-9.326 24.679a4.41 4.41 0 0 1-5.667 2.559l-8.226-3.108-2.332 6.17c-.466 1.233-.375 1.883-1.609 1.417l-2.253-.527c-.411-.155-.95-.594-1.206-1.161l-4.734-10.484-12.545-4.741a4.41 4.41 0 0 1-2.559-5.667l9.325-24.679a4.41 4.41 0 0 1 5.667-2.559m9.961 29.617 8.227 3.108 3.264-8.638-.498-6.768-4.113-1.555.548 7.258-4.319-1.632zm-12.339-4.663 8.226 3.108 3.264-8.637-.498-6.769-4.113-1.554.548 7.257-4.319-1.632z"></path> </g><g clip-path="url(#d)" transform="translate(-63.992 -25.587)"> <path fill="#81b0f3" d="M135.35 60.136 86.67 41.654c-3.346-1.27-7.124.428-8.394 3.775L64.414 81.938c-1.27 3.347.428 7.125 3.774 8.395l12.17 4.62-3.465 9.128c-.693 1.826-1.432 2.457.394 3.15l3.014 1.625c.609.231 1.637.274 2.477-.104l15.53-6.983 18.56 7.047c3.346 1.27 7.124-.428 8.395-3.775l13.862-36.51c1.27-3.346-.428-7.124-3.775-8.395M95.261 83.207l-12.17-4.62 4.852-12.779 7.19-7.017 6.085 2.31-7.725 7.51 6.389 2.426zm18.255 6.93-12.17-4.62 4.852-12.778 7.189-7.017 6.085 2.31-7.725 7.51 6.39 2.426z"></path> </g><defs> <clippath id="c"> <path fill="#fff" d="m198.638 146.586-65.056-24.583-24.583 65.057 65.056 24.582z"></path> </clippath> <clippath id="d"> <path fill="#fff" d="m66.438 14.055 96.242 36.54-36.54 96.243-96.243-36.54z"></path> </clippath> <lineargradient id="a" x1="97.203" x2="199.995" y1="47.04" y2="152.793" gradientunits="userSpaceOnUse"> <stop stop-color="#086DFC"></stop> <stop offset="0.246" stop-color="#2C81FA"></stop> <stop offset="0.516" stop-color="#5497F8"></stop> <stop offset="0.821" stop-color="#80B0F6"></stop> <stop offset="1" stop-color="#9ABFF5"></stop> </lineargradient> </defs> </svg> </div> <h2>Help improve MDN</h2> <fieldset class="feedback"> <label>Was this page helpful to you?</label> <div class="button-container"> <button type="button" class="button primary has-icon yes"><span class="button-wrap"><span class="icon icon-thumbs-up "></span>Yes</span></button><button type="button" class="button primary has-icon no"><span class="button-wrap"><span class="icon icon-thumbs-down "></span>No</span></button> </div> </fieldset><a class="contribute" href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://github.com/mdn/content/blob/main/CONTRIBUTING.md" title="This will take you to our contribution guidelines on GitHub." target="_blank" rel="noopener noreferrer">Learn how to contribute</a>. <p class="last-modified-date">This page was last modified on<!-- --> <time datetime="2025-02-24T09:53:28.000Z">Feb 24, 2025</time> by<!-- --> <a href="https://developer-mozilla-org.translate.goog/en-US/docs/Web/HTTP/CORS/contributors.txt?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" rel="nofollow">MDN contributors</a>.</p> <div id="on-github" class="on-github"> <a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://github.com/mdn/content/blob/main/files/en-us/web/http/cors/index.md?plain%3D1" title="Folder: en-us/web/http/cors (Opens in a new tab)" target="_blank" rel="noopener noreferrer">View this page on GitHub</a> <!-- -->•<!-- --> <a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://github.com/mdn/content/issues/new?template%3Dpage-report.yml%26mdn-url%3Dhttps%253A%252F%252Fdeveloper.mozilla.org%252Fen-US%252Fdocs%252FWeb%252FHTTP%252FCORS%26metadata%3D%253C%2521--%2BDo%2Bnot%2Bmake%2Bchanges%2Bbelow%2Bthis%2Bline%2B--%253E%250A%253Cdetails%253E%250A%253Csummary%253EPage%2Breport%2Bdetails%253C%252Fsummary%253E%250A%250A*%2BFolder%253A%2B%2560en-us%252Fweb%252Fhttp%252Fcors%2560%250A*%2BMDN%2BURL%253A%2Bhttps%253A%252F%252Fdeveloper.mozilla.org%252Fen-US%252Fdocs%252FWeb%252FHTTP%252FCORS%250A*%2BGitHub%2BURL%253A%2Bhttps%253A%252F%252Fgithub.com%252Fmdn%252Fcontent%252Fblob%252Fmain%252Ffiles%252Fen-us%252Fweb%252Fhttp%252Fcors%252Findex.md%250A*%2BLast%2Bcommit%253A%2Bhttps%253A%252F%252Fgithub.com%252Fmdn%252Fcontent%252Fcommit%252F442db82028668b17b888ee439468ae2ac9d589a5%250A*%2BDocument%2Blast%2Bmodified%253A%2B2025-02-24T09%253A53%253A28.000Z%250A%250A%253C%252Fdetails%253E" title="This will take you to GitHub to file a new issue." target="_blank" rel="noopener noreferrer">Report a problem with this content</a> </div> </div> </aside> </main> </div> </div> <footer id="nav-footer" class="page-footer"> <div class="page-footer-grid"> <div class="page-footer-logo-col"> <a href="https://developer-mozilla-org.translate.goog/?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" class="mdn-footer-logo" aria-label="MDN homepage"> <svg width="48" height="17" viewbox="0 0 48 17" fill="none" xmlns="http://www.w3.org/2000/svg"> <title id="mdn-footer-logo-svg">MDN logo</title><path d="M20.04 16.512H15.504V10.416C15.504 9.488 15.344 8.824 15.024 8.424C14.72 8.024 14.264 7.824 13.656 7.824C12.92 7.824 12.384 8.064 12.048 8.544C11.728 9.024 11.568 9.64 11.568 10.392V14.184H13.008V16.512H8.472V10.416C8.472 9.488 8.312 8.824 7.992 8.424C7.688 8.024 7.232 7.824 6.624 7.824C5.872 7.824 5.336 8.064 5.016 8.544C4.696 9.024 4.536 9.64 4.536 10.392V14.184H6.6V16.512H0V14.184H1.44V8.04H0.024V5.688H4.536V7.32C5.224 6.088 6.32 5.472 7.824 5.472C8.608 5.472 9.328 5.664 9.984 6.048C10.64 6.432 11.096 7.016 11.352 7.8C11.992 6.248 13.168 5.472 14.88 5.472C15.856 5.472 16.72 5.776 17.472 6.384C18.224 6.992 18.6 7.936 18.6 9.216V14.184H20.04V16.512Z" fill="currentColor"></path><path d="M33.6714 16.512H29.1354V14.496C28.8314 15.12 28.3834 15.656 27.7914 16.104C27.1994 16.536 26.4154 16.752 25.4394 16.752C24.0154 16.752 22.8954 16.264 22.0794 15.288C21.2634 14.312 20.8554 12.984 20.8554 11.304C20.8554 9.688 21.2554 8.312 22.0554 7.176C22.8554 6.04 24.0634 5.472 25.6794 5.472C26.5594 5.472 27.2794 5.648 27.8394 6C28.3994 6.352 28.8314 6.8 29.1354 7.344V2.352H26.9754V0H32.2314V14.184H33.6714V16.512ZM29.1354 11.04V10.776C29.1354 9.88 28.8954 9.184 28.4154 8.688C27.9514 8.176 27.3674 7.92 26.6634 7.92C25.9754 7.92 25.3674 8.176 24.8394 8.688C24.3274 9.2 24.0714 10.008 24.0714 11.112C24.0714 12.152 24.3114 12.944 24.7914 13.488C25.2714 14.032 25.8394 14.304 26.4954 14.304C27.3114 14.304 27.9514 13.96 28.4154 13.272C28.8954 12.584 29.1354 11.84 29.1354 11.04Z" fill="currentColor"></path><path d="M47.9589 16.512H41.9829V14.184H43.4229V10.416C43.4229 9.488 43.2629 8.824 42.9429 8.424C42.6389 8.024 42.1829 7.824 41.5749 7.824C40.8389 7.824 40.2709 8.056 39.8709 8.52C39.4709 8.968 39.2629 9.56 39.2469 10.296V14.184H40.6869V16.512H34.7109V14.184H36.1509V8.04H34.5909V5.688H39.2469V7.344C39.9669 6.096 41.1269 5.472 42.7269 5.472C43.7509 5.472 44.6389 5.776 45.3909 6.384C46.1429 6.992 46.5189 7.936 46.5189 9.216V14.184H47.9589V16.512Z" fill="currentColor"></path> </svg></a> <p>Your blueprint for a better internet.</p> <ul class="social-icons"> <li><a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://mastodon.social/@mdn" target="_blank" rel="me noopener noreferrer"><span class="icon icon-mastodon"></span><span class="visually-hidden">MDN on Mastodon</span></a></li> <li><a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://twitter.com/mozdevnet" target="_blank" rel="noopener noreferrer"><span class="icon icon-twitter-x"></span><span class="visually-hidden">MDN on X (formerly Twitter)</span></a></li> <li><a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://github.com/mdn/" target="_blank" rel="noopener noreferrer"><span class="icon icon-github-mark-small"></span><span class="visually-hidden">MDN on GitHub</span></a></li> <li><a href="https://developer-mozilla-org.translate.goog/en-US/blog/rss.xml?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" target="_blank"><span class="icon icon-feed"></span><span class="visually-hidden">MDN Blog RSS Feed</span></a></li> </ul> </div> <div class="page-footer-nav-col-1"> <h2 class="footer-nav-heading">MDN</h2> <ul class="footer-nav-list"> <li class="footer-nav-item"><a href="https://developer-mozilla-org.translate.goog/en-US/about?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">About</a></li> <li class="footer-nav-item"><a href="https://developer-mozilla-org.translate.goog/en-US/blog/?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">Blog</a></li> <li class="footer-nav-item"><a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://www.mozilla.org/en-US/careers/listings/?team%3DProdOps" target="_blank" rel="noopener noreferrer">Careers</a></li> <li class="footer-nav-item"><a href="https://developer-mozilla-org.translate.goog/en-US/advertising?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">Advertise with us</a></li> </ul> </div> <div class="page-footer-nav-col-2"> <h2 class="footer-nav-heading">Support</h2> <ul class="footer-nav-list"> <li class="footer-nav-item"><a class="footer-nav-link" href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://support.mozilla.org/products/mdn-plus">Product help</a></li> <li class="footer-nav-item"><a class="footer-nav-link" href="https://developer-mozilla-org.translate.goog/en-US/docs/MDN/Community/Issues?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">Report an issue</a></li> </ul> </div> <div class="page-footer-nav-col-3"> <h2 class="footer-nav-heading">Our communities</h2> <ul class="footer-nav-list"> <li class="footer-nav-item"><a class="footer-nav-link" href="https://developer-mozilla-org.translate.goog/en-US/community?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">MDN Community</a></li> <li class="footer-nav-item"><a class="footer-nav-link" href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://discourse.mozilla.org/c/mdn/236" target="_blank" rel="noopener noreferrer">MDN Forum</a></li> <li class="footer-nav-item"><a class="footer-nav-link" href="https://developer-mozilla-org.translate.goog/discord?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB" target="_blank" rel="noopener noreferrer">MDN Chat</a></li> </ul> </div> <div class="page-footer-nav-col-4"> <h2 class="footer-nav-heading">Developers</h2> <ul class="footer-nav-list"> <li class="footer-nav-item"><a class="footer-nav-link" href="https://developer-mozilla-org.translate.goog/en-US/docs/Web?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">Web Technologies</a></li> <li class="footer-nav-item"><a class="footer-nav-link" href="https://developer-mozilla-org.translate.goog/en-US/docs/Learn?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">Learn Web Development</a></li> <li class="footer-nav-item"><a class="footer-nav-link" href="https://developer-mozilla-org.translate.goog/en-US/plus?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">MDN Plus</a></li> <li class="footer-nav-item"><a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://hacks.mozilla.org/" target="_blank" rel="noopener noreferrer">Hacks Blog</a></li> </ul> </div> <div class="page-footer-moz"> <a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://www.mozilla.org/" class="footer-moz-logo-link" target="_blank" rel="noopener noreferrer"> <svg xmlns="http://www.w3.org/2000/svg" width="137" height="32" fill="none" viewbox="0 0 267.431 62.607"> <path fill="currentColor" d="m13.913 23.056 5.33 25.356h2.195l5.33-25.356h14.267v38.976h-7.578V29.694h-2.194l-7.264 32.337h-7.343L9.418 29.694H7.223v32.337H-.354V23.056Zm47.137 9.123c9.12 0 14.423 5.385 14.423 15.214s-5.33 15.214-14.423 15.214c-9.12 0-14.423-5.385-14.423-15.214 0-9.855 5.304-15.214 14.423-15.214m0 24.363c4.285 0 6.428-2.196 6.428-7.032v-4.287c0-4.836-2.143-7.032-6.428-7.032s-6.428 2.196-6.428 7.032v4.287c0 4.836 2.143 7.032 6.428 7.032m18.473-.157 15.47-18.01h-15.26v-5.647h24.352v5.646L88.616 56.385h15.704v5.646H79.523Zm29.318-23.657h11.183V62.03h-7.578V38.375h-3.632v-5.646zm3.605-9.672h7.578v5.646h-7.578zm13.17 0h11.21v38.976h-7.578v-33.33h-3.632zm16.801 0H153.6v38.976h-7.577v-33.33h-3.632v-5.646zm29.03 9.123c4.442 0 7.394 2.143 8.231 5.881h2.194v-5.332h9.276v5.646h-3.632v18.011h3.632v5.646h-4.442c-3.135 0-4.834-1.699-4.834-4.836V56.7h-2.194c-.81 3.738-3.789 5.881-8.23 5.881-6.978 0-11.916-5.829-11.916-15.214 0-9.384 4.938-15.187 11.915-15.187m2.3 24.363c4.284 0 6.192-2.196 6.192-7.032v-4.287c0-4.836-1.908-7.032-6.193-7.032-4.18 0-6.193 2.196-6.193 7.032v4.287c0 4.836 2.012 7.032 6.193 7.032m48.34 5.489h-7.577V0h7.577zm6.585-29.643h32.165v-2.196l-21.295-7.634v-6.143l21.295-7.633V6.588h-25.345V0h32.165v12.522l-17.35 5.881V20.6l17.35 5.882v12.521h-38.985zm0-25.801h6.794v6.796h-6.794z"></path> </svg></a> <ul class="footer-moz-list"> <li class="footer-moz-item"><a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://www.mozilla.org/privacy/websites/" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Website Privacy Notice</a></li> <li class="footer-moz-item"><a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://www.mozilla.org/privacy/websites/%23cookies" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Cookies</a></li> <li class="footer-moz-item"><a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://www.mozilla.org/about/legal/terms/mozilla" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Legal</a></li> <li class="footer-moz-item"><a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://www.mozilla.org/about/governance/policies/participation/" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Community Participation Guidelines</a></li> </ul> </div> <div class="page-footer-legal"> <p id="license" class="page-footer-legal-text">Visit<!-- --> <a href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://www.mozilla.org" target="_blank" rel="noopener noreferrer">Mozilla Corporation’s</a> <!-- -->not-for-profit parent, the<!-- --> <a target="_blank" rel="noopener noreferrer" href="https://translate.google.com/website?sl=pl&tl=tr&hl=en-GB&u=https://foundation.mozilla.org/">Mozilla Foundation</a>.<br> Portions of this content are ©1998–<!-- -->2025<!-- --> by individual mozilla.org contributors. Content available under<!-- --> <a href="https://developer-mozilla-org.translate.goog/en-US/docs/MDN/Writing_guidelines/Attrib_copyright_license?_x_tr_sl=pl&_x_tr_tl=tr&_x_tr_hl=en-GB">a Creative Commons license</a>.</p> </div> </div> </footer> </div> <script type="application/json" id="hydration">{"url":"/en-US/docs/Web/HTTP/CORS","doc":{"body":[{"type":"prose","value":{"id":null,"title":null,"isH3":false,"content":"<p><strong>Cross-Origin Resource Sharing</strong> (<a href=\"/en-US/docs/Glossary/CORS\">CORS</a>) is an <a href=\"/en-US/docs/Glossary/HTTP\">HTTP</a>-header based mechanism that allows a server to indicate any <a href=\"/en-US/docs/Glossary/Origin\">origins</a> (domain, scheme, or port) other than its own from which a browser should permit loading resources. CORS also relies on a mechanism by which browsers make a \"preflight\" request to the server hosting the cross-origin resource, in order to check that the server will permit the actual request. In that preflight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request.</p>\n<p>An example of a cross-origin request: the front-end JavaScript code served from <code>https://domain-a.com</code> uses <a href=\"/en-US/docs/Web/API/Window/fetch\" title=\"fetch()\"><code>fetch()</code></a> to make a request for <code>https://domain-b.com/data.json</code>.</p>\n<p>For security reasons, browsers restrict cross-origin HTTP requests initiated from scripts. For example, <code>fetch()</code> and <a href=\"/en-US/docs/Web/API/XMLHttpRequest\"><code>XMLHttpRequest</code></a> follow the <a href=\"/en-US/docs/Web/Security/Same-origin_policy\">same-origin policy</a>. This means that a web application using those APIs can only request resources from the same origin the application was loaded from unless the response from other origins includes the right CORS headers.</p>\n<p><img src=\"https://mdn.github.io/shared-assets/images/diagrams/http/cors/fetching-page-cors.svg\" alt=\"Diagrammatic representation of CORS mechanism\" loading=\"lazy\"></p>\n<p>The CORS mechanism supports secure cross-origin requests and data transfers between browsers and servers. Browsers use CORS in APIs such as <code>fetch()</code> or <code>XMLHttpRequest</code> to mitigate the risks of cross-origin HTTP requests.</p>"}},{"type":"prose","value":{"id":"what_requests_use_cors","title":"What requests use CORS?","isH3":false,"content":"<p>This <a href=\"https://fetch.spec.whatwg.org/#http-cors-protocol\" class=\"external\" target=\"_blank\">cross-origin sharing standard</a> can enable cross-origin HTTP requests for:</p>\n<ul>\n<li>Invocations of <code>fetch()</code> or <code>XMLHttpRequest</code>, as discussed above.</li>\n<li>Web Fonts (for cross-domain font usage in <code>@font-face</code> within CSS), <a href=\"https://www.w3.org/TR/css-fonts-3/#font-fetching-requirements\" class=\"external\" target=\"_blank\">so that servers can deploy TrueType fonts that can only be loaded cross-origin and used by websites that are permitted to do so.</a></li>\n<li><a href=\"/en-US/docs/Web/API/WebGL_API/Tutorial/Using_textures_in_WebGL\">WebGL textures</a>.</li>\n<li>Images/video frames drawn to a canvas using <a href=\"/en-US/docs/Web/API/CanvasRenderingContext2D/drawImage\" title=\"drawImage()\"><code>drawImage()</code></a>.</li>\n<li><a href=\"/en-US/docs/Web/CSS/CSS_shapes/Shapes_from_images\">CSS Shapes from images.</a></li>\n</ul>\n<p>This is a general article about Cross-Origin Resource Sharing and includes a discussion of the necessary HTTP headers.</p>"}},{"type":"prose","value":{"id":"functional_overview","title":"Functional overview","isH3":false,"content":"<p>The Cross-Origin Resource Sharing standard works by adding new <a href=\"/en-US/docs/Web/HTTP/Headers\">HTTP headers</a> that let servers describe which origins are permitted to read that information from a web browser. Additionally, for HTTP request methods that can cause side-effects on server data (in particular, HTTP methods other than <a href=\"/en-US/docs/Web/HTTP/Methods/GET\"><code>GET</code></a>, or <a href=\"/en-US/docs/Web/HTTP/Methods/POST\"><code>POST</code></a> with certain <a href=\"/en-US/docs/Web/HTTP/MIME_types\">MIME types</a>), the specification mandates that browsers \"preflight\" the request, soliciting supported methods from the server with the HTTP <a href=\"/en-US/docs/Web/HTTP/Methods/OPTIONS\"><code>OPTIONS</code></a> request method, and then, upon \"approval\" from the server, sending the actual request. Servers can also inform clients whether \"credentials\" (such as <a href=\"/en-US/docs/Web/HTTP/Cookies\">Cookies</a> and <a href=\"/en-US/docs/Web/HTTP/Authentication\">HTTP Authentication</a>) should be sent with requests.</p>\n<p>CORS failures result in errors but for security reasons, specifics about the error <em>are not available to JavaScript</em>. All the code knows is that an error occurred. The only way to determine what specifically went wrong is to look at the browser's console for details.</p>\n<p>Subsequent sections discuss scenarios, as well as provide a breakdown of the HTTP headers used.</p>"}},{"type":"prose","value":{"id":"examples_of_access_control_scenarios","title":"Examples of access control scenarios","isH3":false,"content":"<p>We present three scenarios that demonstrate how Cross-Origin Resource Sharing works. All these examples use <a href=\"/en-US/docs/Web/API/Window/fetch\" title=\"fetch()\"><code>fetch()</code></a>, which can make cross-origin requests in any supporting browser.</p>"}},{"type":"prose","value":{"id":"simple_requests","title":"Simple requests","isH3":true,"content":"<p>Some requests don't trigger a <a href=\"/en-US/docs/Glossary/Preflight_request\">CORS preflight</a>. Those are called <em>simple requests</em> from the obsolete <a href=\"https://www.w3.org/TR/2014/REC-cors-20140116/#terminology\" class=\"external\" target=\"_blank\">CORS spec</a>, though the <a href=\"https://fetch.spec.whatwg.org/\" class=\"external\" target=\"_blank\">Fetch spec</a> (which now defines CORS) doesn't use that term.</p>\n<p>The motivation is that the <a href=\"/en-US/docs/Web/HTML/Element/form\"><code><form></code></a> element from HTML 4.0 (which predates cross-site <a href=\"/en-US/docs/Web/API/Window/fetch\" title=\"fetch()\"><code>fetch()</code></a> and <a href=\"/en-US/docs/Web/API/XMLHttpRequest\"><code>XMLHttpRequest</code></a>) can submit simple requests to any origin, so anyone writing a server must already be protecting against <a href=\"/en-US/docs/Glossary/CSRF\">cross-site request forgery</a> (CSRF). Under this assumption, the server doesn't have to opt-in (by responding to a preflight request) to receive any request that looks like a form submission, since the threat of CSRF is no worse than that of form submission. However, the server still must opt-in using <a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin\"><code>Access-Control-Allow-Origin</code></a> to <em>share</em> the response with the script.</p>\n<p>A <em>simple request</em> is one that <strong>meets all the following conditions</strong>:</p>\n<ul>\n<li>\n<p>One of the allowed methods:</p>\n<ul>\n<li><a href=\"/en-US/docs/Web/HTTP/Methods/GET\"><code>GET</code></a></li>\n<li><a href=\"/en-US/docs/Web/HTTP/Methods/HEAD\"><code>HEAD</code></a></li>\n<li><a href=\"/en-US/docs/Web/HTTP/Methods/POST\"><code>POST</code></a></li>\n</ul>\n</li>\n<li>\n<p>Apart from the headers automatically set by the user agent (for example, <a href=\"/en-US/docs/Web/HTTP/Headers/Connection\"><code>Connection</code></a>, <a href=\"/en-US/docs/Web/HTTP/Headers/User-Agent\"><code>User-Agent</code></a>, or the <a href=\"/en-US/docs/Glossary/Forbidden_request_header\">forbidden request headers</a>), the only headers which are allowed to be manually set are the <a href=\"/en-US/docs/Glossary/CORS-safelisted_request_header\">CORS-safelisted request-headers</a>, which are:</p>\n<ul>\n<li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept\"><code>Accept</code></a></li>\n<li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept-Language\"><code>Accept-Language</code></a></li>\n<li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Language\"><code>Content-Language</code></a></li>\n<li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Type\"><code>Content-Type</code></a> (please note the additional requirements below)</li>\n<li><a href=\"/en-US/docs/Web/HTTP/Headers/Range\"><code>Range</code></a> (only with a <a href=\"https://fetch.spec.whatwg.org/#simple-range-header-value\" class=\"external\" target=\"_blank\">simple range header value</a>; e.g., <code>bytes=256-</code> or <code>bytes=127-255</code>)</li>\n</ul>\n</li>\n<li>\n<p>The only type/subtype combinations allowed for the <a href=\"/en-US/docs/Glossary/MIME_type\">media type</a> specified in the <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Type\"><code>Content-Type</code></a> header are:</p>\n<ul>\n<li><code>application/x-www-form-urlencoded</code></li>\n<li><code>multipart/form-data</code></li>\n<li><code>text/plain</code></li>\n</ul>\n</li>\n<li>\n<p>If the request is made using an <a href=\"/en-US/docs/Web/API/XMLHttpRequest\"><code>XMLHttpRequest</code></a> object, no event listeners are registered on the object returned by the <a href=\"/en-US/docs/Web/API/XMLHttpRequest/upload\"><code>XMLHttpRequest.upload</code></a> property used in the request; that is, given an <a href=\"/en-US/docs/Web/API/XMLHttpRequest\"><code>XMLHttpRequest</code></a> instance <code>xhr</code>, no code has called <code>xhr.upload.addEventListener()</code> to add an event listener to monitor the upload.</p>\n</li>\n<li>\n<p>No <a href=\"/en-US/docs/Web/API/ReadableStream\"><code>ReadableStream</code></a> object is used in the request.</p>\n</li>\n</ul>\n<div class=\"notecard note\">\n<p><strong>Note:</strong>\nWebKit Nightly and Safari Technology Preview place additional restrictions on the values allowed in the <a href=\"/en-US/docs/Web/HTTP/Headers/Accept\"><code>Accept</code></a>, <a href=\"/en-US/docs/Web/HTTP/Headers/Accept-Language\"><code>Accept-Language</code></a>, and <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Language\"><code>Content-Language</code></a> headers. If any of those headers have \"nonstandard\" values, WebKit/Safari does not consider the request to be a \"simple request\". What values WebKit/Safari consider \"nonstandard\" is not documented, except in the following WebKit bugs:</p>\n<ul>\n<li><a href=\"https://webkit.org/b/165178\" class=\"external\" target=\"_blank\">Require preflight for non-standard CORS-safelisted request headers Accept, Accept-Language, and Content-Language</a></li>\n<li><a href=\"https://webkit.org/b/165566\" class=\"external\" target=\"_blank\">Allow commas in Accept, Accept-Language, and Content-Language request headers for simple CORS</a></li>\n<li><a href=\"https://webkit.org/b/166363\" class=\"external\" target=\"_blank\">Switch to a blacklist model for restricted Accept headers in simple CORS requests</a></li>\n</ul>\n<p>No other browsers implement these extra restrictions because they're not part of the spec.</p>\n</div>\n<p>For example, suppose web content at <code>https://foo.example</code> wishes to fetch JSON content from domain <code>https://bar.other</code>. Code of this sort might be used in JavaScript deployed on <code>foo.example</code>:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">js</span></div><pre class=\"brush: js notranslate\"><code>const fetchPromise = fetch(\"https://bar.other\");\n\nfetchPromise\n .then((response) => response.json())\n .then((data) => {\n console.log(data);\n });\n</code></pre></div>\n<p>This operation performs a simple exchange between the client and the server, using CORS headers to handle the privileges:</p>\n<p><img src=\"https://mdn.github.io/shared-assets/images/diagrams/http/cors/simple-request.svg\" alt=\"Diagram of simple CORS GET request\" loading=\"lazy\"></p>\n<p>Let's look at what the browser will send to the server in this case:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>GET /resources/public-data/ HTTP/1.1\nHost: bar.other\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-us,en;q=0.5\nAccept-Encoding: gzip,deflate\nConnection: keep-alive\nOrigin: https://foo.example\n</code></pre></div>\n<p>The request header of note is <a href=\"/en-US/docs/Web/HTTP/Headers/Origin\"><code>Origin</code></a>, which shows that the invocation is coming from <code>https://foo.example</code>.</p>\n<p>Now let's see how the server responds:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>HTTP/1.1 200 OK\nDate: Mon, 01 Dec 2008 00:23:53 GMT\nServer: Apache/2\nAccess-Control-Allow-Origin: *\nKeep-Alive: timeout=2, max=100\nConnection: Keep-Alive\nTransfer-Encoding: chunked\nContent-Type: application/xml\n\n[…XML Data…]\n</code></pre></div>\n<p>In response, the server returns a <a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin\"><code>Access-Control-Allow-Origin</code></a> header with <code>Access-Control-Allow-Origin: *</code>, which means that the resource can be accessed by <strong>any</strong> origin.</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Access-Control-Allow-Origin: *\n</code></pre></div>\n<p>This pattern of the <a href=\"/en-US/docs/Web/HTTP/Headers/Origin\"><code>Origin</code></a> and <a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin\"><code>Access-Control-Allow-Origin</code></a> headers is the simplest use of the access control protocol. If the resource owners at <code>https://bar.other</code> wished to restrict access to the resource to requests <em>only</em> from <code>https://foo.example</code> (i.e., no domain other than <code>https://foo.example</code> can access the resource in a cross-origin manner), they would send:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Access-Control-Allow-Origin: https://foo.example\n</code></pre></div>\n<div class=\"notecard note\">\n<p><strong>Note:</strong>\nWhen responding to a <a href=\"#requests_with_credentials\">credentialed requests</a> request, the server <strong>must</strong> specify an origin in the value of the <code>Access-Control-Allow-Origin</code> header, instead of specifying the <code>*</code> wildcard.</p>\n</div>"}},{"type":"prose","value":{"id":"preflighted_requests","title":"Preflighted requests","isH3":true,"content":"<p>Unlike <a href=\"#simple_requests\"><em>simple requests</em></a>, for \"preflighted\" requests the browser first sends an HTTP request using the <a href=\"/en-US/docs/Web/HTTP/Methods/OPTIONS\"><code>OPTIONS</code></a> method to the resource on the other origin, in order to determine if the actual request is safe to send. Such cross-origin requests are preflighted since they may have implications for user data.</p>\n<p>The following is an example of a request that will be preflighted:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">js</span></div><pre class=\"brush: js notranslate\"><code>const fetchPromise = fetch(\"https://bar.other/doc\", {\n method: \"POST\",\n mode: \"cors\",\n headers: {\n \"Content-Type\": \"text/xml\",\n \"X-PINGOTHER\": \"pingpong\",\n },\n body: \"<person><name>Arun</name></person>\",\n});\n\nfetchPromise.then((response) => {\n console.log(response.status);\n});\n</code></pre></div>\n<p>The example above creates an XML body to send with the <code>POST</code> request. Also, a non-standard HTTP <code>X-PINGOTHER</code> request header is set. Such headers are not part of HTTP/1.1, but are generally useful to web applications. Since the request uses a <code>Content-Type</code> of <code>text/xml</code>, and since a custom header is set, this request is preflighted.</p>\n<p><img src=\"https://mdn.github.io/shared-assets/images/diagrams/http/cors/preflight-correct.svg\" alt=\"Diagram of a request that is preflighted\" loading=\"lazy\"></p>\n<div class=\"notecard note\">\n<p><strong>Note:</strong>\nAs described below, the actual <code>POST</code> request does not include the <code>Access-Control-Request-*</code> headers; they are needed only for the <code>OPTIONS</code> request.</p>\n</div>\n<p>Let's look at the full exchange between client and server. The first exchange is the <em>preflight request/response</em>:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>OPTIONS /doc HTTP/1.1\nHost: bar.other\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-us,en;q=0.5\nAccept-Encoding: gzip,deflate\nConnection: keep-alive\nOrigin: https://foo.example\nAccess-Control-Request-Method: POST\nAccess-Control-Request-Headers: content-type,x-pingother\n\nHTTP/1.1 204 No Content\nDate: Mon, 01 Dec 2008 01:15:39 GMT\nServer: Apache/2\nAccess-Control-Allow-Origin: https://foo.example\nAccess-Control-Allow-Methods: POST, GET, OPTIONS\nAccess-Control-Allow-Headers: X-PINGOTHER, Content-Type\nAccess-Control-Max-Age: 86400\nVary: Accept-Encoding, Origin\nKeep-Alive: timeout=2, max=100\nConnection: Keep-Alive\n</code></pre></div>\n<p>The first block above represents the preflight request with the <a href=\"/en-US/docs/Web/HTTP/Methods/OPTIONS\"><code>OPTIONS</code></a> method. The browser determines that it needs to send this based on the request parameters that the JavaScript code snippet above was using, so that the server can respond whether it is acceptable to send the request with the actual request parameters. OPTIONS is an HTTP/1.1 method that is used to determine further information from servers, and is a <a href=\"/en-US/docs/Glossary/Safe/HTTP\">safe</a> method, meaning that it can't be used to change the resource. Note that along with the OPTIONS request, two other request headers are sent:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Access-Control-Request-Method: POST\nAccess-Control-Request-Headers: content-type,x-pingother\n</code></pre></div>\n<p>The <a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method\"><code>Access-Control-Request-Method</code></a> header notifies the server as part of a preflight request that when the actual request is sent, it will do so with a <code>POST</code> request method. The <a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers\"><code>Access-Control-Request-Headers</code></a> header notifies the server that when the actual request is sent, it will do so with <code>X-PINGOTHER</code> and <code>Content-Type</code> custom headers. Now the server has an opportunity to determine whether it can accept a request under these conditions.</p>\n<p>The second block above is the response that the server returns, which indicate that the request method (<code>POST</code>) and request headers (<code>X-PINGOTHER</code>) are acceptable. Let's have a closer look at the following lines:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Access-Control-Allow-Origin: https://foo.example\nAccess-Control-Allow-Methods: POST, GET, OPTIONS\nAccess-Control-Allow-Headers: X-PINGOTHER, Content-Type\nAccess-Control-Max-Age: 86400\n</code></pre></div>\n<p>The server responds with <code>Access-Control-Allow-Origin: https://foo.example</code>, restricting access to the requesting origin domain only. It also responds with <code>Access-Control-Allow-Methods</code>, which says that <code>POST</code> and <code>GET</code> are valid methods to query the resource in question (this header is similar to the <a href=\"/en-US/docs/Web/HTTP/Headers/Allow\"><code>Allow</code></a> response header, but used strictly within the context of access control).</p>\n<p>The server also sends <code>Access-Control-Allow-Headers</code> with a value of <code>X-PINGOTHER, Content-Type</code>, confirming that these are permitted headers to be used with the actual request. Like <code>Access-Control-Allow-Methods</code>, <code>Access-Control-Allow-Headers</code> is a comma-separated list of acceptable headers.</p>\n<p>Finally, <a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age\"><code>Access-Control-Max-Age</code></a> gives the value in seconds for how long the response to the preflight request can be cached without sending another preflight request. The default value is 5 seconds. In the present case, the max age is 86400 seconds (= 24 hours). Note that each browser has a <a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age\">maximum internal value</a> that takes precedence when the <code>Access-Control-Max-Age</code> exceeds it.</p>\n<p>Once the preflight request is complete, the real request is sent:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>POST /doc HTTP/1.1\nHost: bar.other\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-us,en;q=0.5\nAccept-Encoding: gzip,deflate\nConnection: keep-alive\nX-PINGOTHER: pingpong\nContent-Type: text/xml; charset=UTF-8\nReferer: https://foo.example/examples/preflightInvocation.html\nContent-Length: 55\nOrigin: https://foo.example\nPragma: no-cache\nCache-Control: no-cache\n\n<person><name>Arun</name></person>\n\nHTTP/1.1 200 OK\nDate: Mon, 01 Dec 2008 01:15:40 GMT\nServer: Apache/2\nAccess-Control-Allow-Origin: https://foo.example\nVary: Accept-Encoding, Origin\nContent-Encoding: gzip\nContent-Length: 235\nKeep-Alive: timeout=2, max=99\nConnection: Keep-Alive\nContent-Type: text/plain\n\n[Some XML content]\n</code></pre></div>\n<h4 id=\"preflighted_requests_and_redirects\">Preflighted requests and redirects</h4>\n<p>Not all browsers currently support following redirects after a preflighted request. If a redirect occurs after such a request, some browsers currently will report an error message such as the following:</p>\n<blockquote>\n<p>The request was redirected to <code>https://example.com/foo</code>, which is disallowed for cross-origin requests that require preflight.\nRequest requires preflight, which is disallowed to follow cross-origin redirects.</p>\n</blockquote>\n<p>The CORS protocol originally required that behavior but <a href=\"https://github.com/whatwg/fetch/commit/0d9a4db8bc02251cc9e391543bb3c1322fb882f2\" class=\"external\" target=\"_blank\">was subsequently changed to no longer require it</a>. However, not all browsers have implemented the change, and thus still exhibit the originally required behavior.</p>\n<p>Until browsers catch up with the spec, you may be able to work around this limitation by doing one or both of the following:</p>\n<ul>\n<li>Change the server-side behavior to avoid the preflight and/or to avoid the redirect</li>\n<li>Change the request such that it is a <a href=\"#simple_requests\">simple request</a> that doesn't cause a preflight</li>\n</ul>\n<p>If that's not possible, then another way is to:</p>\n<ol>\n<li>Make a <a href=\"#simple_requests\">simple request</a> (using <a href=\"/en-US/docs/Web/API/Response/url\"><code>Response.url</code></a> for the Fetch API, or <a href=\"/en-US/docs/Web/API/XMLHttpRequest/responseURL\"><code>XMLHttpRequest.responseURL</code></a>) to determine what URL the real preflighted request would end up at.</li>\n<li>Make another request (the <em>real</em> request) using the URL you obtained from <code>Response.url</code> or <code>XMLHttpRequest.responseURL</code> in the first step.</li>\n</ol>\n<p>However, if the request is one that triggers a preflight due to the presence of the <code>Authorization</code> header in the request, you won't be able to work around the limitation using the steps above. And you won't be able to work around it at all unless you have control over the server the request is being made to.</p>"}},{"type":"prose","value":{"id":"requests_with_credentials","title":"Requests with credentials","isH3":true,"content":"<div class=\"notecard note\">\n<p><strong>Note:</strong>\nWhen making credentialed requests to a different domain, third-party cookie policies will still apply. The policy is always enforced regardless of any setup on the server and the client as described in this chapter.</p>\n</div>\n<p>The most interesting capability exposed by both <a href=\"/en-US/docs/Web/API/Window/fetch\" title=\"fetch()\"><code>fetch()</code></a> or <a href=\"/en-US/docs/Web/API/XMLHttpRequest\"><code>XMLHttpRequest</code></a> and CORS is the ability to make \"credentialed\" requests that are aware of <a href=\"/en-US/docs/Web/HTTP/Cookies\">HTTP cookies</a> and HTTP Authentication information. By default, in cross-origin <code>fetch()</code> or <code>XMLHttpRequest</code> calls, browsers will <em>not</em> send credentials.</p>\n<p>To ask for a <code>fetch()</code> request to include credentials, set the <a href=\"/en-US/docs/Web/API/RequestInit#credentials\"><code>credentials</code></a> option to <code>\"include\"</code>.</p>\n<p>To ask for an <code>XMLHttpRequest</code> request to include credentials, set the <a href=\"/en-US/docs/Web/API/XMLHttpRequest/withCredentials\"><code>XMLHttpRequest.withCredentials</code></a> property to <code>true</code>.</p>\n<p>In this example, content originally loaded from <code>https://foo.example</code> makes a simple GET request to a resource on <code>https://bar.other</code> which sets Cookies. Content on foo.example might contain JavaScript like this:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">js</span></div><pre class=\"brush: js notranslate\"><code>const url = \"https://bar.other/resources/credentialed-content/\";\n\nconst request = new Request(url, { credentials: \"include\" });\n\nconst fetchPromise = fetch(request);\nfetchPromise.then((response) => console.log(response));\n</code></pre></div>\n<p>This code creates a <a href=\"/en-US/docs/Web/API/Request\"><code>Request</code></a> object, setting the <code>credentials</code> option to <code>\"include\"</code> in the constructor, then passes this request into <code>fetch()</code>. Since this is a simple <code>GET</code> request, it is not preflighted but the browser will <strong>reject</strong> any response that does not have the <a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials\"><code>Access-Control-Allow-Credentials</code></a><code>: true</code> header, and <strong>not</strong> make the response available to the invoking web content.</p>\n<p><img src=\"https://mdn.github.io/shared-assets/images/diagrams/http/cors/include-credentials.svg\" alt=\"Diagram of a simple GET request with Access-Control-Allow-Credentials\" loading=\"lazy\"></p>\n<p>Here is a sample exchange between client and server:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>GET /resources/credentialed-content/ HTTP/1.1\nHost: bar.other\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-us,en;q=0.5\nAccept-Encoding: gzip,deflate\nConnection: keep-alive\nReferer: https://foo.example/examples/credential.html\nOrigin: https://foo.example\nCookie: pageAccess=2\n\nHTTP/1.1 200 OK\nDate: Mon, 01 Dec 2008 01:34:52 GMT\nServer: Apache/2\nAccess-Control-Allow-Origin: https://foo.example\nAccess-Control-Allow-Credentials: true\nCache-Control: no-cache\nPragma: no-cache\nSet-Cookie: pageAccess=3; expires=Wed, 31-Dec-2008 01:34:53 GMT\nVary: Accept-Encoding, Origin\nContent-Encoding: gzip\nContent-Length: 106\nKeep-Alive: timeout=2, max=100\nConnection: Keep-Alive\nContent-Type: text/plain\n\n[text/plain content]\n</code></pre></div>\n<p>Although the request's <code>Cookie</code> header contains the cookie destined for the content on <code>https://bar.other</code>, if bar.other did not respond with an <a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials\"><code>Access-Control-Allow-Credentials</code></a> with value <code>true</code>, as demonstrated in this example, the response would be ignored and not made available to the web content.</p>\n<h4 id=\"preflight_requests_and_credentials\">Preflight requests and credentials</h4>\n<p>CORS-preflight requests must never include credentials. The <em>response</em> to a preflight request must specify <code>Access-Control-Allow-Credentials: true</code> to indicate that the actual request can be made with credentials.</p>\n<div class=\"notecard note\">\n<p><strong>Note:</strong>\nSome enterprise authentication services require that TLS client certificates be sent in preflight requests, in contravention of the <a href=\"https://fetch.spec.whatwg.org/#cors-protocol-and-credentials\" class=\"external\" target=\"_blank\">Fetch</a> specification.</p>\n<p>Firefox 87 allows this non-compliant behavior to be enabled by setting the preference: <code>network.cors_preflight.allow_client_cert</code> to <code>true</code> (<a href=\"https://bugzil.la/1511151\" class=\"external\" target=\"_blank\">Firefox bug 1511151</a>). Chromium-based browsers currently always send TLS client certificates in CORS preflight requests (<a href=\"https://crbug.com/775438\" class=\"external\" target=\"_blank\">Chrome bug 775438</a>).</p>\n</div>\n<h4 id=\"credentialed_requests_and_wildcards\">Credentialed requests and wildcards</h4>\n<p>When responding to a credentialed request:</p>\n<ul>\n<li>The server <strong>must not</strong> specify the <code>*</code> wildcard for the <code>Access-Control-Allow-Origin</code> response-header value, but must instead specify an explicit origin; for example: <code>Access-Control-Allow-Origin: https://example.com</code></li>\n<li>The server <strong>must not</strong> specify the <code>*</code> wildcard for the <code>Access-Control-Allow-Headers</code> response-header value, but must instead specify an explicit list of header names; for example, <code>Access-Control-Allow-Headers: X-PINGOTHER, Content-Type</code></li>\n<li>The server <strong>must not</strong> specify the <code>*</code> wildcard for the <code>Access-Control-Allow-Methods</code> response-header value, but must instead specify an explicit list of method names; for example, <code>Access-Control-Allow-Methods: POST, GET</code></li>\n<li>The server <strong>must not</strong> specify the <code>*</code> wildcard for the <code>Access-Control-Expose-Headers</code> response-header value, but must instead specify an explicit list of header names; for example, <code>Access-Control-Expose-Headers: Content-Encoding, Kuma-Revision</code></li>\n</ul>\n<p>If a request includes a credential (most commonly a <code>Cookie</code> header) and the response includes an <code>Access-Control-Allow-Origin: *</code> header (that is, with the wildcard), the browser will block access to the response, and report a CORS error in the devtools console.</p>\n<p>But if a request does include a credential (like the <code>Cookie</code> header) and the response includes an actual origin rather than the wildcard (like, for example, <code>Access-Control-Allow-Origin: https://example.com</code>), then the browser will allow access to the response from the specified origin.</p>\n<p>Also note that any <code>Set-Cookie</code> response header in a response would not set a cookie if the <code>Access-Control-Allow-Origin</code> value in that response is the <code>*</code> wildcard rather an actual origin.</p>\n<h4 id=\"third-party_cookies\">Third-party cookies</h4>\n<p>Note that cookies set in CORS responses are subject to normal third-party cookie policies. In the example above, the page is loaded from <code>foo.example</code> but the <code>Cookie</code> header in the response is sent by <code>bar.other</code>, and would thus not be saved if the user's browser is configured to reject all third-party cookies.</p>\n<p>Cookie in the request may also be suppressed in normal third-party cookie policies. The enforced cookie policy may therefore nullify the capability described in this chapter, effectively preventing you from making credentialed requests whatsoever.</p>\n<p>Cookie policy around the <a href=\"/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value\">SameSite</a> attribute would apply.</p>"}},{"type":"prose","value":{"id":"the_http_response_headers","title":"The HTTP response headers","isH3":false,"content":"<p>This section lists the HTTP response headers that servers return for access control requests as defined by the Cross-Origin Resource Sharing specification. The previous section gives an overview of these in action.</p>"}},{"type":"prose","value":{"id":"access-control-allow-origin","title":"Access-Control-Allow-Origin","isH3":true,"content":"<p>A returned resource may have one <a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin\"><code>Access-Control-Allow-Origin</code></a> header with the following syntax:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Access-Control-Allow-Origin: <origin> | *\n</code></pre></div>\n<p><code>Access-Control-Allow-Origin</code> specifies either a single origin which tells browsers to allow that origin to access the resource; or else — for requests <strong>without</strong> credentials — the <code>*</code> wildcard tells browsers to allow any origin to access the resource.</p>\n<p>For example, to allow code from the origin <code>https://mozilla.org</code> to access the resource, you can specify:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Access-Control-Allow-Origin: https://mozilla.org\nVary: Origin\n</code></pre></div>\n<p>If the server specifies a single origin (that may dynamically change based on the requesting origin as part of an allowlist) rather than the <code>*</code> wildcard, then the server should also include <code>Origin</code> in the <a href=\"/en-US/docs/Web/HTTP/Headers/Vary\"><code>Vary</code></a> response header to indicate to clients that server responses will differ based on the value of the <a href=\"/en-US/docs/Web/HTTP/Headers/Origin\"><code>Origin</code></a> request header.</p>"}},{"type":"prose","value":{"id":"access-control-expose-headers","title":"Access-Control-Expose-Headers","isH3":true,"content":"<p>The <a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers\"><code>Access-Control-Expose-Headers</code></a> header adds the specified headers to the allowlist that JavaScript (such as <a href=\"/en-US/docs/Web/API/Response/headers\"><code>Response.headers</code></a>) in browsers is allowed to access.</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Access-Control-Expose-Headers: <header-name>[, <header-name>]*\n</code></pre></div>\n<p>For example, the following:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Access-Control-Expose-Headers: X-My-Custom-Header, X-Another-Custom-Header\n</code></pre></div>\n<p>…would allow the <code>X-My-Custom-Header</code> and <code>X-Another-Custom-Header</code> headers to be exposed to the browser.</p>"}},{"type":"prose","value":{"id":"access-control-max-age","title":"Access-Control-Max-Age","isH3":true,"content":"<p>The <a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age\"><code>Access-Control-Max-Age</code></a> header indicates how long the results of a preflight request can be cached. For an example of a preflight request, see the above examples.</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Access-Control-Max-Age: <delta-seconds>\n</code></pre></div>\n<p>The <code>delta-seconds</code> parameter indicates the number of seconds the results can be cached.</p>"}},{"type":"prose","value":{"id":"access-control-allow-credentials","title":"Access-Control-Allow-Credentials","isH3":true,"content":"<p>The <a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials\"><code>Access-Control-Allow-Credentials</code></a> header indicates whether or not the response to the request can be exposed when the <code>credentials</code> flag is true. When used as part of a response to a preflight request, this indicates whether or not the actual request can be made using credentials. Note that simple <code>GET</code> requests are not preflighted, and so if a request is made for a resource with credentials, if this header is not returned with the resource, the response is ignored by the browser and not returned to web content.</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Access-Control-Allow-Credentials: true\n</code></pre></div>\n<p><a href=\"#requests_with_credentials\">Credentialed requests</a> are discussed above.</p>"}},{"type":"prose","value":{"id":"access-control-allow-methods","title":"Access-Control-Allow-Methods","isH3":true,"content":"<p>The <a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods\"><code>Access-Control-Allow-Methods</code></a> header specifies the method or methods allowed when accessing the resource. This is used in response to a preflight request. The conditions under which a request is preflighted are discussed above.</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Access-Control-Allow-Methods: <method>[, <method>]*\n</code></pre></div>\n<p>An example of a <a href=\"/en-US/docs/Glossary/Preflight_request\">preflight request</a> is given above, including an example which sends this header to the browser.</p>"}},{"type":"prose","value":{"id":"access-control-allow-headers","title":"Access-Control-Allow-Headers","isH3":true,"content":"<p>The <a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers\"><code>Access-Control-Allow-Headers</code></a> header is used in response to a <a href=\"/en-US/docs/Glossary/Preflight_request\">preflight request</a> to indicate which HTTP headers can be used when making the actual request. This header is the server side response to the browser's <a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers\"><code>Access-Control-Request-Headers</code></a> header.</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Access-Control-Allow-Headers: <header-name>[, <header-name>]*\n</code></pre></div>"}},{"type":"prose","value":{"id":"the_http_request_headers","title":"The HTTP request headers","isH3":false,"content":"<p>This section lists headers that clients may use when issuing HTTP requests in order to make use of the cross-origin sharing feature. Note that these headers are set for you when making invocations to servers. Developers making cross-origin requests do not have to set any cross-origin sharing request headers programmatically.</p>"}},{"type":"prose","value":{"id":"origin","title":"Origin","isH3":true,"content":"<p>The <a href=\"/en-US/docs/Web/HTTP/Headers/Origin\"><code>Origin</code></a> header indicates the origin of the cross-origin access request or preflight request.</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Origin: <origin>\n</code></pre></div>\n<p>The origin is a URL indicating the server from which the request is initiated. It does not include any path information, only the server name.</p>\n<div class=\"notecard note\">\n<p><strong>Note:</strong>\nThe <code>origin</code> value can be <code>null</code>.</p>\n</div>\n<p>Note that in any access control request, the <a href=\"/en-US/docs/Web/HTTP/Headers/Origin\"><code>Origin</code></a> header is <strong>always</strong> sent.</p>"}},{"type":"prose","value":{"id":"access-control-request-method","title":"Access-Control-Request-Method","isH3":true,"content":"<p>The <a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method\"><code>Access-Control-Request-Method</code></a> is used when issuing a preflight request to let the server know what HTTP method will be used when the actual request is made.</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Access-Control-Request-Method: <method>\n</code></pre></div>\n<p>Examples of this usage can be <a href=\"#preflighted_requests\">found above.</a></p>"}},{"type":"prose","value":{"id":"access-control-request-headers","title":"Access-Control-Request-Headers","isH3":true,"content":"<p>The <a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers\"><code>Access-Control-Request-Headers</code></a> header is used when issuing a preflight request to let the server know what HTTP headers will be used when the actual request is made (for example, by passing them as the <a href=\"/en-US/docs/Web/API/RequestInit#headers\"><code>headers</code></a> option). This browser-side header will be answered by the complementary server-side header of <a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers\"><code>Access-Control-Allow-Headers</code></a>.</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Access-Control-Request-Headers: <field-name>[,<field-name>]*\n</code></pre></div>\n<p>Examples of this usage can be <a href=\"#preflighted_requests\">found above</a>.</p>"}},{"type":"specifications","value":{"id":"specifications","title":"Specifications","isH3":false,"specifications":[{"bcdSpecificationURL":"https://fetch.spec.whatwg.org/#http-access-control-allow-origin","title":"Fetch"}],"query":"http.headers.Access-Control-Allow-Origin"}},{"type":"browser_compatibility","value":{"id":"browser_compatibility","title":"Browser compatibility","isH3":false,"query":"http.headers.Access-Control-Allow-Origin"}},{"type":"prose","value":{"id":"see_also","title":"See also","isH3":false,"content":"<ul>\n<li>\n<p><a href=\"/en-US/docs/Web/HTTP/CORS/Errors\">CORS errors</a></p>\n</li>\n<li>\n<p><a href=\"https://enable-cors.org/server.html\" class=\"external\" target=\"_blank\">Enable CORS: I want to add CORS support to my server</a></p>\n</li>\n<li>\n<p><a href=\"/en-US/docs/Web/API/Fetch_API\">Fetch API</a></p>\n</li>\n<li><a href=\"/en-US/docs/Web/API/XMLHttpRequest\"><code>XMLHttpRequest</code></a></li>\n<li>\n<p><a href=\"https://httptoolkit.com/will-it-cors/\" class=\"external\" target=\"_blank\">Will it CORS?</a> - an interactive CORS explainer & generator</p>\n</li>\n<li>\n<p><a href=\"https://alfilatov.com/posts/run-chrome-without-cors/\" class=\"external\" target=\"_blank\">How to run Chrome browser without CORS</a></p>\n</li>\n<li>\n<p><a href=\"https://www.telerik.com/blogs/using-cors-with-all-modern-browsers\" class=\"external\" target=\"_blank\">Using CORS with All (Modern) Browsers</a></p>\n</li>\n<li>\n<p><a href=\"https://stackoverflow.com/questions/43871637/no-access-control-allow-origin-header-is-present-on-the-requested-resource-whe/43881141#43881141\" class=\"external\" target=\"_blank\">Stack Overflow answer with \"how to\" info for dealing with common problems</a>:</p>\n<ul>\n<li>How to avoid the CORS preflight</li>\n<li>How to use a CORS proxy to get around <em>\"No Access-Control-Allow-Origin header\"</em></li>\n<li>How to fix <em>\"Access-Control-Allow-Origin header must not be the wildcard\"</em></li>\n</ul>\n</li>\n</ul>"}}],"isActive":true,"isMarkdown":true,"isTranslated":false,"locale":"en-US","mdn_url":"/en-US/docs/Web/HTTP/CORS","modified":"2025-02-24T09:53:28.000Z","native":"English (US)","noIndexing":false,"other_translations":[{"locale":"de","title":"Cross-Origin Resource Sharing (CORS)","native":"Deutsch"},{"locale":"es","title":"Intercambio de recursos de origen cruzado (CORS)","native":"Español"},{"locale":"fr","title":"Cross-origin resource sharing (CORS)","native":"Français"},{"locale":"ja","title":"オリジン間リソース共有 (CORS)","native":"日本語"},{"locale":"ko","title":"교차 출처 리소스 공유 (CORS)","native":"한국어"},{"locale":"pt-BR","title":"Cross-Origin Resource Sharing (CORS)","native":"Português (do Brasil)"},{"locale":"ru","title":"Cross-Origin Resource Sharing (CORS)","native":"Русский"},{"locale":"zh-CN","title":"跨源资源共享(CORS)","native":"中文 (简体)"},{"locale":"zh-TW","title":"跨來源資源共享(CORS)","native":"正體中文 (繁體)"}],"pageTitle":"Cross-Origin Resource Sharing (CORS) - HTTP | MDN","parents":[{"uri":"/en-US/docs/Web","title":"References"},{"uri":"/en-US/docs/Web/HTTP","title":"HTTP"},{"uri":"/en-US/docs/Web/HTTP/CORS","title":"Cross-Origin Resource Sharing (CORS)"}],"popularity":null,"short_title":"Cross-Origin Resource Sharing (CORS)","sidebarHTML":"<ol><li class=\"section\"><a href=\"/en-US/docs/Web/HTTP\">HTTP</a></li><li class=\"section\">Guides</li><li><a href=\"/en-US/docs/Web/HTTP/Overview\">An overview of HTTP</a></li><li><a href=\"/en-US/docs/Web/HTTP/Session\">A typical HTTP session</a></li><li><a href=\"/en-US/docs/Web/HTTP/Messages\">HTTP messages</a></li><li><a href=\"/en-US/docs/Web/HTTP/MIME_types\">MIME types (IANA media types)</a></li><li><a href=\"/en-US/docs/Web/HTTP/Compression\">Compression in HTTP</a></li><li><a href=\"/en-US/docs/Web/HTTP/Caching\">HTTP caching</a></li><li><a href=\"/en-US/docs/Web/HTTP/Authentication\">HTTP authentication</a></li><li><a href=\"/en-US/docs/Web/HTTP/Cookies\">Using HTTP cookies</a></li><li><a href=\"/en-US/docs/Web/HTTP/Redirections\">Redirections in HTTP</a></li><li><a href=\"/en-US/docs/Web/HTTP/Conditional_requests\">HTTP conditional requests</a></li><li><a href=\"/en-US/docs/Web/HTTP/Range_requests\">HTTP range requests</a></li><li><a href=\"/en-US/docs/Web/HTTP/Content_negotiation\">Content negotiation</a></li><li><a href=\"/en-US/docs/Web/HTTP/Connection_management_in_HTTP_1.x\">Connection management in HTTP/1.x</a></li><li><a href=\"/en-US/docs/Web/HTTP/Evolution_of_HTTP\">Evolution of HTTP</a></li><li><a href=\"/en-US/docs/Web/HTTP/Protocol_upgrade_mechanism\">Protocol upgrade mechanism</a></li><li><a href=\"/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling\">Proxy servers and tunneling</a></li><li><a href=\"/en-US/docs/Web/HTTP/Client_hints\">HTTP Client hints</a></li><li class=\"toggle\"><details open=\"\"><summary>Security and privacy</summary><ol><li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides\">Practical security implementation guides</a></li><li><a href=\"/en-US/observatory\">HTTP Observatory</a></li><li><a href=\"/en-US/docs/Web/HTTP/Permissions_Policy\">Permissions Policy</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/CSP\">Content Security Policy (CSP)</a></li><li><em><a href=\"/en-US/docs/Web/HTTP/CORS\" aria-current=\"page\">Cross-Origin Resource Sharing (CORS)</a></em></li><li><a href=\"/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy\">Cross-Origin Resource Policy (CORP)</a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers\">Headers</a></li></ol></details></li><li class=\"section\">References</li><li class=\"toggle\"><details><summary>HTTP headers</summary><ol><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept\"><code>Accept</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept-CH\"><code>Accept-CH</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept-Encoding\"><code>Accept-Encoding</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept-Language\"><code>Accept-Language</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept-Patch\"><code>Accept-Patch</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept-Post\"><code>Accept-Post</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept-Ranges\"><code>Accept-Ranges</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials\"><code>Access-Control-Allow-Credentials</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers\"><code>Access-Control-Allow-Headers</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods\"><code>Access-Control-Allow-Methods</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin\"><code>Access-Control-Allow-Origin</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers\"><code>Access-Control-Expose-Headers</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age\"><code>Access-Control-Max-Age</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers\"><code>Access-Control-Request-Headers</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method\"><code>Access-Control-Request-Method</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Age\"><code>Age</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Allow\"><code>Allow</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Alt-Svc\"><code>Alt-Svc</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Alt-Used\"><code>Alt-Used</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Attribution-Reporting-Eligible\"><code>Attribution-Reporting-Eligible</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Attribution-Reporting-Register-Source\"><code>Attribution-Reporting-Register-Source</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Attribution-Reporting-Register-Trigger\"><code>Attribution-Reporting-Register-Trigger</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Authorization\"><code>Authorization</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Cache-Control\"><code>Cache-Control</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Clear-Site-Data\"><code>Clear-Site-Data</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Connection\"><code>Connection</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Digest\"><code>Content-Digest</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Disposition\"><code>Content-Disposition</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-DPR\"><code>Content-DPR</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Encoding\"><code>Content-Encoding</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Language\"><code>Content-Language</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Length\"><code>Content-Length</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Location\"><code>Content-Location</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Range\"><code>Content-Range</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\"><code>Content-Security-Policy</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only\"><code>Content-Security-Policy-Report-Only</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Type\"><code>Content-Type</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Cookie\"><code>Cookie</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Critical-CH\"><code>Critical-CH</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy\"><code>Cross-Origin-Embedder-Policy</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy\"><code>Cross-Origin-Opener-Policy</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy\"><code>Cross-Origin-Resource-Policy</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Date\"><code>Date</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Device-Memory\"><code>Device-Memory</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/DNT\"><code>DNT</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Downlink\"><code>Downlink</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/DPR\"><code>DPR</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Early-Data\"><code>Early-Data</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/ECT\"><code>ECT</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/ETag\"><code>ETag</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Expect\"><code>Expect</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Expect-CT\"><code>Expect-CT</code></a><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Expires\"><code>Expires</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Forwarded\"><code>Forwarded</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/From\"><code>From</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Host\"><code>Host</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/If-Match\"><code>If-Match</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/If-Modified-Since\"><code>If-Modified-Since</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/If-None-Match\"><code>If-None-Match</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/If-Range\"><code>If-Range</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since\"><code>If-Unmodified-Since</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Keep-Alive\"><code>Keep-Alive</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Last-Modified\"><code>Last-Modified</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Link\"><code>Link</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Location\"><code>Location</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Max-Forwards\"><code>Max-Forwards</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/NEL\"><code>NEL</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/No-Vary-Search\"><code>No-Vary-Search</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Observe-Browsing-Topics\"><code>Observe-Browsing-Topics</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Origin\"><code>Origin</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Origin-Agent-Cluster\"><code>Origin-Agent-Cluster</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy\"><code>Permissions-Policy</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Pragma\"><code>Pragma</code></a><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Priority\"><code>Priority</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Proxy-Authenticate\"><code>Proxy-Authenticate</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Proxy-Authorization\"><code>Proxy-Authorization</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Range\"><code>Range</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Referer\"><code>Referer</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Referrer-Policy\"><code>Referrer-Policy</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Refresh\"><code>Refresh</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Report-To\"><code>Report-To</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Reporting-Endpoints\"><code>Reporting-Endpoints</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Repr-Digest\"><code>Repr-Digest</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Retry-After\"><code>Retry-After</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/RTT\"><code>RTT</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Save-Data\"><code>Save-Data</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-Browsing-Topics\"><code>Sec-Browsing-Topics</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-Prefers-Color-Scheme\"><code>Sec-CH-Prefers-Color-Scheme</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-Prefers-Reduced-Motion\"><code>Sec-CH-Prefers-Reduced-Motion</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-Prefers-Reduced-Transparency\"><code>Sec-CH-Prefers-Reduced-Transparency</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA\"><code>Sec-CH-UA</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Arch\"><code>Sec-CH-UA-Arch</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Bitness\"><code>Sec-CH-UA-Bitness</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Form-Factors\"><code>Sec-CH-UA-Form-Factors</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Full-Version\"><code>Sec-CH-UA-Full-Version</code></a><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Full-Version-List\"><code>Sec-CH-UA-Full-Version-List</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Mobile\"><code>Sec-CH-UA-Mobile</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Model\"><code>Sec-CH-UA-Model</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Platform\"><code>Sec-CH-UA-Platform</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Platform-Version\"><code>Sec-CH-UA-Platform-Version</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-WoW64\"><code>Sec-CH-UA-WoW64</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Dest\"><code>Sec-Fetch-Dest</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Mode\"><code>Sec-Fetch-Mode</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Site\"><code>Sec-Fetch-Site</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-Fetch-User\"><code>Sec-Fetch-User</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-GPC\"><code>Sec-GPC</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-Purpose\"><code>Sec-Purpose</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Accept\"><code>Sec-WebSocket-Accept</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Extensions\"><code>Sec-WebSocket-Extensions</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Key\"><code>Sec-WebSocket-Key</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Protocol\"><code>Sec-WebSocket-Protocol</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Version\"><code>Sec-WebSocket-Version</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Server\"><code>Server</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Server-Timing\"><code>Server-Timing</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Service-Worker\"><code>Service-Worker</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Service-Worker-Allowed\"><code>Service-Worker-Allowed</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Service-Worker-Navigation-Preload\"><code>Service-Worker-Navigation-Preload</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Set-Cookie\"><code>Set-Cookie</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Set-Login\"><code>Set-Login</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/SourceMap\"><code>SourceMap</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Speculation-Rules\"><code>Speculation-Rules</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security\"><code>Strict-Transport-Security</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Supports-Loading-Mode\"><code>Supports-Loading-Mode</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/TE\"><code>TE</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin\"><code>Timing-Allow-Origin</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Tk\"><code>Tk</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Trailer\"><code>Trailer</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Transfer-Encoding\"><code>Transfer-Encoding</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Upgrade\"><code>Upgrade</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Upgrade-Insecure-Requests\"><code>Upgrade-Insecure-Requests</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/User-Agent\"><code>User-Agent</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Vary\"><code>Vary</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Via\"><code>Via</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Viewport-Width\"><code>Viewport-Width</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Want-Content-Digest\"><code>Want-Content-Digest</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Want-Repr-Digest\"><code>Want-Repr-Digest</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Warning\"><code>Warning</code></a><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Width\"><code>Width</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/WWW-Authenticate\"><code>WWW-Authenticate</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options\"><code>X-Content-Type-Options</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control\"><code>X-DNS-Prefetch-Control</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-Forwarded-For\"><code>X-Forwarded-For</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host\"><code>X-Forwarded-Host</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto\"><code>X-Forwarded-Proto</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-Frame-Options\"><code>X-Frame-Options</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-Permitted-Cross-Domain-Policies\"><code>X-Permitted-Cross-Domain-Policies</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-Powered-By\"><code>X-Powered-By</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-Robots-Tag\"><code>X-Robots-Tag</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-XSS-Protection\"><code>X-XSS-Protection</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li></ol></details></li><li class=\"toggle\"><details><summary>HTTP request methods</summary><ol><li><a href=\"/en-US/docs/Web/HTTP/Methods/CONNECT\"><code>CONNECT</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/DELETE\"><code>DELETE</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/GET\"><code>GET</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/HEAD\"><code>HEAD</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/OPTIONS\"><code>OPTIONS</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/PATCH\"><code>PATCH</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/POST\"><code>POST</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/PUT\"><code>PUT</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/TRACE\"><code>TRACE</code></a></li></ol></details></li><li class=\"toggle\"><details><summary>HTTP response status codes</summary><ol><li><a href=\"/en-US/docs/Web/HTTP/Status/100\"><code>100 Continue</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/101\"><code>101 Switching Protocols</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/102\"><code>102 Processing</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/103\"><code>103 Early Hints</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/200\"><code>200 OK</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/201\"><code>201 Created</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/202\"><code>202 Accepted</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/203\"><code>203 Non-Authoritative Information</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/204\"><code>204 No Content</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/205\"><code>205 Reset Content</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/206\"><code>206 Partial Content</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/207\"><code>207 Multi-Status</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/208\"><code>208 Already Reported</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/226\"><code>226 IM Used</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/300\"><code>300 Multiple Choices</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/301\"><code>301 Moved Permanently</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/302\"><code>302 Found</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/303\"><code>303 See Other</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/304\"><code>304 Not Modified</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/307\"><code>307 Temporary Redirect</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/308\"><code>308 Permanent Redirect</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/400\"><code>400 Bad Request</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/401\"><code>401 Unauthorized</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/402\"><code>402 Payment Required</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/403\"><code>403 Forbidden</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/404\"><code>404 Not Found</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/405\"><code>405 Method Not Allowed</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/406\"><code>406 Not Acceptable</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/407\"><code>407 Proxy Authentication Required</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/408\"><code>408 Request Timeout</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/409\"><code>409 Conflict</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/410\"><code>410 Gone</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/411\"><code>411 Length Required</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/412\"><code>412 Precondition Failed</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/413\"><code>413 Content Too Large</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/414\"><code>414 URI Too Long</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/415\"><code>415 Unsupported Media Type</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/416\"><code>416 Range Not Satisfiable</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/417\"><code>417 Expectation Failed</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/418\"><code>418 I'm a teapot</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/421\"><code>421 Misdirected Request</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/422\"><code>422 Unprocessable Content</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/423\"><code>423 Locked</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/424\"><code>424 Failed Dependency</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/425\"><code>425 Too Early</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/426\"><code>426 Upgrade Required</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/428\"><code>428 Precondition Required</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/429\"><code>429 Too Many Requests</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/431\"><code>431 Request Header Fields Too Large</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/451\"><code>451 Unavailable For Legal Reasons</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/500\"><code>500 Internal Server Error</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/501\"><code>501 Not Implemented</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/502\"><code>502 Bad Gateway</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/503\"><code>503 Service Unavailable</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/504\"><code>504 Gateway Timeout</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/505\"><code>505 HTTP Version Not Supported</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/506\"><code>506 Variant Also Negotiates</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/507\"><code>507 Insufficient Storage</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/508\"><code>508 Loop Detected</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/510\"><code>510 Not Extended</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/511\"><code>511 Network Authentication Required</code></a></li></ol></details></li><li class=\"toggle\"><details><summary>CSP directives</summary><ol><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri\"><code>CSP: base-uri</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content\"><code>CSP: block-all-mixed-content</code></a><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src\"><code>CSP: child-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src\"><code>CSP: connect-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src\"><code>CSP: default-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/fenced-frame-src\"><code>CSP: fenced-frame-src</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src\"><code>CSP: font-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action\"><code>CSP: form-action</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors\"><code>CSP: frame-ancestors</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src\"><code>CSP: frame-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src\"><code>CSP: img-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src\"><code>CSP: manifest-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src\"><code>CSP: media-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src\"><code>CSP: object-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/prefetch-src\"><code>CSP: prefetch-src</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to\"><code>CSP: report-to</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri\"><code>CSP: report-uri</code></a><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for\"><code>CSP: require-trusted-types-for</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox\"><code>CSP: sandbox</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src\"><code>CSP: script-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-attr\"><code>CSP: script-src-attr</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-elem\"><code>CSP: script-src-elem</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src\"><code>CSP: style-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-attr\"><code>CSP: style-src-attr</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-elem\"><code>CSP: style-src-elem</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types\"><code>CSP: trusted-types</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests\"><code>CSP: upgrade-insecure-requests</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src\"><code>CSP: worker-src</code></a></li></ol></details></li><li class=\"toggle\"><details><summary>CORS errors</summary><ol><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSDisabled\"><code>Reason: CORS disabled</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSAllowOriginNotMatchingOrigin\"><code>Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz'</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSMissingAllowOrigin\"><code>Reason: CORS header 'Access-Control-Allow-Origin' missing</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSOriginHeaderNotAdded\"><code>Reason: CORS header 'Origin' cannot be added</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSPreflightDidNotSucceed\"><code>Reason: CORS preflight channel did not succeed</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSDidNotSucceed\"><code>Reason: CORS request did not succeed</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSExternalRedirectNotAllowed\"><code>Reason: CORS request external redirect not allowed</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSRequestNotHttp\"><code>Reason: CORS request not HTTP</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials\"><code>Reason: Credential is not supported if the CORS header 'Access-Control-Allow-Origin' is '*'</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSMethodNotFound\"><code>Reason: Did not find method in CORS header 'Access-Control-Allow-Methods'</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSMIssingAllowCredentials\"><code>Reason: expected 'true' in CORS header 'Access-Control-Allow-Credentials'</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSInvalidAllowHeader\"><code>Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Headers'</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSInvalidAllowMethod\"><code>Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Methods'</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSMissingAllowHeaderFromPreflight\"><code>Reason: missing token 'xyz' in CORS header 'Access-Control-Allow-Headers' from CORS preflight channel</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSMultipleAllowOriginNotAllowed\"><code>Reason: Multiple CORS header 'Access-Control-Allow-Origin' not allowed</code></a></li></ol></details></li><li class=\"toggle\"><details><summary>Permissions-Policy directives</summary><ol><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/accelerometer\"><code>Permissions-Policy: accelerometer</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/ambient-light-sensor\"><code>Permissions-Policy: ambient-light-sensor</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/attribution-reporting\"><code>Permissions-Policy: attribution-reporting</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/autoplay\"><code>Permissions-Policy: autoplay</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/bluetooth\"><code>Permissions-Policy: bluetooth</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/browsing-topics\"><code>Permissions-Policy: browsing-topics</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/camera\"><code>Permissions-Policy: camera</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/compute-pressure\"><code>Permissions-Policy: compute-pressure</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/cross-origin-isolated\"><code>Permissions-Policy: cross-origin-isolated</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/display-capture\"><code>Permissions-Policy: display-capture</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/document-domain\"><code>Permissions-Policy: document-domain</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/encrypted-media\"><code>Permissions-Policy: encrypted-media</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/fullscreen\"><code>Permissions-Policy: fullscreen</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/gamepad\"><code>Permissions-Policy: gamepad</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/geolocation\"><code>Permissions-Policy: geolocation</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/gyroscope\"><code>Permissions-Policy: gyroscope</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/hid\"><code>Permissions-Policy: hid</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/identity-credentials-get\"><code>Permissions-Policy: identity-credentials-get</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/idle-detection\"><code>Permissions-Policy: idle-detection</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/local-fonts\"><code>Permissions-Policy: local-fonts</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/magnetometer\"><code>Permissions-Policy: magnetometer</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/microphone\"><code>Permissions-Policy: microphone</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/midi\"><code>Permissions-Policy: midi</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/otp-credentials\"><code>Permissions-Policy: otp-credentials</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/payment\"><code>Permissions-Policy: payment</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/picture-in-picture\"><code>Permissions-Policy: picture-in-picture</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-create\"><code>Permissions-Policy: publickey-credentials-create</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-get\"><code>Permissions-Policy: publickey-credentials-get</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/screen-wake-lock\"><code>Permissions-Policy: screen-wake-lock</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/serial\"><code>Permissions-Policy: serial</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/speaker-selection\"><code>Permissions-Policy: speaker-selection</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/storage-access\"><code>Permissions-Policy: storage-access</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/usb\"><code>Permissions-Policy: usb</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/web-share\"><code>Permissions-Policy: web-share</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/window-management\"><code>Permissions-Policy: window-management</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/xr-spatial-tracking\"><code>Permissions-Policy: xr-spatial-tracking</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li></ol></details></li><li><a href=\"/en-US/docs/Web/HTTP/Resources_and_specifications\">HTTP resources and specifications</a></li></ol>","source":{"folder":"en-us/web/http/cors","github_url":"https://github.com/mdn/content/blob/main/files/en-us/web/http/cors/index.md","last_commit_url":"https://github.com/mdn/content/commit/442db82028668b17b888ee439468ae2ac9d589a5","filename":"index.md"},"summary":"Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. CORS also relies on a mechanism by which browsers make a \"preflight\" request to the server hosting the cross-origin resource, in order to check that the server will permit the actual request. In that preflight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request.","title":"Cross-Origin Resource Sharing (CORS)","toc":[{"text":"What requests use CORS?","id":"what_requests_use_cors"},{"text":"Functional overview","id":"functional_overview"},{"text":"Examples of access control scenarios","id":"examples_of_access_control_scenarios"},{"text":"The HTTP response headers","id":"the_http_response_headers"},{"text":"The HTTP request headers","id":"the_http_request_headers"},{"text":"Specifications","id":"specifications"},{"text":"Browser compatibility","id":"browser_compatibility"},{"text":"See also","id":"see_also"}],"baseline":{"baseline":"high","baseline_low_date":"2015-07-29","baseline_high_date":"2018-01-29","support":{"chrome":"4","chrome_android":"18","edge":"12","firefox":"3.5","firefox_android":"4","safari":"4","safari_ios":"3.2"}},"browserCompat":["http.headers.Access-Control-Allow-Origin"],"pageType":"guide"}}</script> <script>function gtElInit() {var lib = new google.translate.TranslateService();lib.translatePage('pl', 'tr', function () {});}</script> <script src="https://translate.google.com/translate_a/element.js?cb=gtElInit&hl=en-GB&client=wt" type="text/javascript"></script> </body> </html>