Manual:$wgAllowedCorsHeaders

API: $wgAllowedCorsHeaders
List of allowed headers for cross-origin API requests.
Introduced in version:1.35.0 (Gerrit change 585491; git #0ed077d3)
Removed in version:Still in use
Allowed values:(array)
Default value:(see below)

Used in the Access-Control-Allow-Headers response for cross-origin requests coming from a domain that is allowed via $wgCrossSiteAJAXdomains .

Default value

MediaWiki version:
1.40
Gerrit change 921154

This was backported to MediaWiki 1.35.11, 1.38.7 and 1.39.4.

$wgAllowedCorsHeaders = [
	/* simple headers (see spec) */
	'Accept',
	'Accept-Language',
	'Content-Language',
	'Content-Type',
	/* non-authorable headers in XHR, which are however requested by some UAs */
	'Accept-Encoding',
	'DNT',
	'Origin',
	/* MediaWiki whitelist */
	'User-Agent',
	'Api-User-Agent',
	/* Allowing caching preflight requests, see T269636 */
	'Access-Control-Max-Age',
	/* OAuth 2.0, see T322944 */
	'Authorization',
];
MediaWiki versions:
1.36 – 1.39
Gerrit change 646768

This was backported to MediaWiki 1.35.11.

$wgAllowedCorsHeaders = [
	/* simple headers (see spec) */
	'Accept',
	'Accept-Language',
	'Content-Language',
	'Content-Type',
	/* non-authorable headers in XHR, which are however requested by some UAs */
	'Accept-Encoding',
	'DNT',
	'Origin',
	/* MediaWiki whitelist */
	'User-Agent',
	'Api-User-Agent',
	/* Allowing caching preflight requests, see T269636 */
	'Access-Control-Max-Age',
];
MediaWiki version:
1.35
$wgAllowedCorsHeaders = [
	/* simple headers (see spec) */
	'Accept',
	'Accept-Language',
	'Content-Language',
	'Content-Type',
	/* non-authorable headers in XHR, which are however requested by some UAs */
	'Accept-Encoding',
	'DNT',
	'Origin',
	/* MediaWiki whitelist */
	'User-Agent',
	'Api-User-Agent',
];