Access-Control-Allow-Headers

Access-Control-Allow-Headers: <header-name>[, <header-name>]*
Access-Control-Allow-Headers: *
  
<header-name>
    
可支持的请求首部名字。请求头会列出所有支持的首部列表，用逗号隔开。
注意以下这些特定的首部是一直允许的：Accept, Accept-Language, Content-Language, Content-Type（但只在其值属于 MIME 类型 application/x-www-form-urlencoded, multipart/form-data 或 text/plain中的一种时）。这些被称作simple headers，你无需特意声明它们。
* (wildcard)
对于没有凭据的请求（没有 HTTP cookie 或 HTTP 认证信息的请求），值“ *”仅作为特殊的通配符值。在具有凭据的请求中，它被视为没有特殊语义的文字标头名称“ *”。请注意，Authorization标头不能使用通配符，并且始终需要明确列出。

下面是 Access-Control-Allow-Headers 标头的一个示例。它表明，除了 CORS 安全清单列出的请求标头外，对服务器的 CORS 请求还支持名为 X-Custom-Header 的自定义标头。

Access-Control-Allow-Headers: X-Custom-Header

此示例展示了支持多个标头时的 Access-Control-Allow-Headers 。

Access-Control-Allow-Headers: X-Custom-Header, Upgrade-Insecure-Requests

让我们看一个涉及 Access-Control-Allow-Headers 的预检请求示例。

Request

First, the request. The preflight request is an OPTIONS request which includes some combination of the three preflight request headers: Access-Control-Request-Method , Access-Control-Request-Headers , and Origin , such as:

OPTIONS /resource/foo
Access-Control-Request-Method: DELETE
Access-Control-Request-Headers: origin, x-requested-with
Origin: https://foo.bar.org
Response
If the server allows CORS requests to use the DELETE method, it responds with an Access-Control-Allow-Methods response header, which lists DELETE along with the other methods it supports:
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Access-Control-Allow-Origin: https://foo.bar.org
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE
Access-Control-Max-Age: 86400
If the requested method isn't supported, the server will respond with an error.

• 在最新规范中提出的通配符 (*)，尚未被如下浏览器实现：
• Chromium: Issue 615313
• Firefox: Firefox bug 1309358
• Servo: Issue 13283
• WebKit: Issue 165508