Open Bug 1733981 Opened 2 years ago Updated 2 months ago

CORS: Allow particular Range header values without a preflight


(Core :: DOM: Networking, enhancement, P3)





(Reporter: jaffathecake, Unassigned)


(Blocks 1 open bug)


(Keywords: dev-doc-needed, Whiteboard: [necko-triaged])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36

Expected results:

Spec discussion:
Spec PR:
Tests PR:

Range was added as a safe-listed header as long as the value is in a particular format, which aligns with formats the browser uses when requesting media and resuming downloads.

Ever confirmed: true
Keywords: dev-doc-needed
Severity: -- → N/A
Priority: -- → P3
Whiteboard: [necko-triaged]
Blocks: fetch

The following information seems to have sped the development of a webkit patch along, so I will re-post it here:

CORS-safelisted request-header:

Allowed particular Range header values (simple range header value):


Range: bytes=0-255

Range: bytes=255-

Hopefully it will make a patch for Gecko more likely.

See Also: → 1465074

Dev docs published:

Range (only with a simple range header value; e.g., bytes=256- or bytes=127-255)
Note: Firefox has not implemented Range as a safelisted request-header yet. See bug 1733981.

Shipped in Chromium:
In trunk for WebKit:;a=commit;h=2b039d303782f915fd730720f281f081aab45549

You need to log in before you can comment on or make changes to this bug.