Make Access-Control-Allow-Methods matching in CORS preflight spec conformant
Supported on: Microsoft Windows 7 or later
Registry
Software\Policies\Google\Chrome Software\Policies\Google\Chrome Value name: AccessControlAllowMethodsInCORSPreflightSpecConformant
Enabled: AccessControlAllowMethodsInCORSPreflightSpecConformant = 1
Disabled: AccessControlAllowMethodsInCORSPreflightSpecConformant = 0
Description
This policy controls whether request methods are uppercased when matching with Access-Control-Allow-Methods response headers in CORS preflight. If the policy is Disabled, request methods are uppercased. This is the behavior on or before Google Chrome 108. If the policy is Enabled or not set, request methods are not uppercased, unless matching case-insensitively with DELETE, GET, HEAD, OPTIONS, POST, or PUT. This would reject fetch(url, {method: 'Foo'}) + "Access-Control-Allow-Methods: FOO" response header, and would accept fetch(url, {method: 'Foo'}) + "Access-Control-Allow-Methods: Foo" response header. Note: request methods "post" and "put" are not affected, while "patch" is affected. This policy is intended to be temporary and will be removed in the future.