From 573b59b0d09a649fc4393e81948bcfb5ed78da5a Mon Sep 17 00:00:00 2001 From: Tom Dykstra Date: Sat, 21 Sep 2024 16:03:46 -0700 Subject: [PATCH] Remove Access-Control-Allow-Methods from request header list (#33673) Fixes #33660 Access-Control-Allow-Methods is a response header, not a request header --- aspnetcore/security/cors.md | 1 - 1 file changed, 1 deletion(-) diff --git a/aspnetcore/security/cors.md b/aspnetcore/security/cors.md index 9bd75dfd88ae..d27cc7ce1a64 100644 --- a/aspnetcore/security/cors.md +++ b/aspnetcore/security/cors.md @@ -360,7 +360,6 @@ The preflight request uses the [HTTP OPTIONS](https://developer.mozilla.org/docs * [Access-Control-Request-Method](https://developer.mozilla.org/docs/Web/HTTP/Headers/Access-Control-Request-Method): The HTTP method that will be used for the actual request. * [Access-Control-Request-Headers](https://developer.mozilla.org/docs/Web/HTTP/Headers/Access-Control-Allow-Headers): A list of request headers that the app sets on the actual request. As stated earlier, this doesn't include headers that the browser sets, such as `User-Agent`. -* [Access-Control-Allow-Methods](https://developer.mozilla.org/docs/Web/HTTP/Headers/Access-Control-Allow-Methods) If the preflight request is denied, the app returns a `200 OK` response but doesn't set the CORS headers. Therefore, the browser doesn't attempt the cross-origin request. For an example of a denied preflight request, see the [Test CORS](#testc6) section of this document.