Make Access-Control-Allow-Methods matching in CORS preflight spec conformant
Supported on: Microsoft Edge version 123, Windows 7 or later
Registry
Software\Policies\Microsoft\Edge\WebView2 Software\Policies\Microsoft\Edge\WebView2 Value name: AccessControlAllowMethodsInCORSPreflightSpecConformant
Enabled: AccessControlAllowMethodsInCORSPreflightSpecConformant = 1
Disabled: AccessControlAllowMethodsInCORSPreflightSpecConformant = 0
Description
This policy controls whether request methods are uppercased when matching with Access-Control-Allow-Methods response headers in CORS preflight. If you disable this policy, request methods are uppercased. This is the behavior on or before Microsoft Edge 108. If you enable or don't configure this policy, request methods aren't uppercased, unless matching case-insensitively with DELETE, GET, HEAD, OPTIONS, POST, or PUT. This would reject fetch(url, {method: 'Foo'}) + "Access-Control-Allow-Methods: FOO" response header, and would accept fetch(url, {method: 'Foo'}) + "Access-Control-Allow-Methods: Foo" response header. Note: request methods "post" and "put" aren't affected, while "patch" is affected. This policy is intended to be temporary and will be removed in the future.