HTML

Structure of content on the web

  • Web APIs

    Interfaces for building web applications

  • Learn
  • HTTP Observatory

    Scan a website for free

  • HTTP
  • HTTP
  • A typical HTTP session
  • HTTP caching
  • HTTP conditional requests
  • Protocol upgrade mechanism
  • HTTP Observatory
  • Permissions Policy
  • CORS errors
    1. Reason: CORS header 'Origin' cannot be added
    2. Reason: CORS request not HTTP
    3. Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Headers'
    4. Reference
    5. Accept-Encoding
    6. Accept-Ranges
    7. Access-Control-Allow-Origin
    8. Access-Control-Request-Method
    9. Alt-Used
    10. Attribution-Reporting-Eligible
    11. Attribution-Reporting-Register-Source
    12. Attribution-Reporting-Register-Trigger
    13. Connection
    14. Content-DPR
    15. Content-Location
    16. Content-Type
    17. Critical-CH
    18. Date
    19. DNT
    20. Downlink
    21. DPR
    22. Early-Data
    23. ECT
    24. Expect-CT
    25. Host
    26. If-Range
    27. Link
    28. NEL
    29. No-Vary-Search
    30. Observe-Browsing-Topics
    31. Origin-Agent-Cluster
    32. Permissions-Policy
    33. Pragma
    34. Proxy-Authenticate
    35. Referrer-Policy
    36. Report-To
    37. Reporting-Endpoints
    38. RTT
    39. Save-Data
    40. Sec-Browsing-Topics
    41. Sec-CH-Prefers-Color-Scheme
    42. Sec-CH-Prefers-Reduced-Motion
    43. Sec-CH-Prefers-Reduced-Transparency
    44. Sec-CH-UA
    45. Sec-CH-UA-Arch
    46. Sec-CH-UA-Bitness
    47. Sec-CH-UA-Form-Factors
    48. Sec-CH-UA-Full-Version
    49. Sec-CH-UA-Full-Version-List
    50. Sec-CH-UA-Mobile
    51. Sec-CH-UA-Model
    52. Sec-CH-UA-Platform
    53. Sec-CH-UA-Platform-Version
    54. Sec-CH-UA-WoW64
    55. Sec-Fetch-User
    56. Sec-GPC
    57. Sec-WebSocket-Key
    58. Server-Timing
    59. Set-Cookie
    60. Set-Login
    61. Speculation-Rules
    62. Supports-Loading-Mode
    63. Tk
    64. Upgrade-Insecure-Requests
    65. Viewport-Width
    66. Warning
    67. Width
    68. X-DNS-Prefetch-Control
    69. X-Forwarded-For
    70. X-Forwarded-Host
    71. X-Forwarded-Proto
    72. X-Permitted-Cross-Domain-Policies
    73. X-Powered-By
    74. X-Robots-Tag
    75. X-XSS-Protection
  • GET
  • POST
  • 100 Continue
  • 200 OK
  • 204 No Content
  • 208 Already Reported
  • 302 Found
  • 308 Permanent Redirect
  • 403 Forbidden
  • 407 Proxy Authentication Required
  • 411 Length Required
  • 415 Unsupported Media Type
  • 421 Misdirected Request
  • 425 Too Early
  • 431 Request Header Fields Too Large
  • 502 Bad Gateway
  • 506 Variant Also Negotiates
  • 511 Network Authentication Required
  • CSP: block-all-mixed-content
  • CSP: fenced-frame-src
  • CSP: frame-src
  • CSP: object-src
  • CSP: prefetch-src
  • CSP: report-uri
  • CSP: script-src-attr
  • CSP: style-src-elem
  • Permissions-Policy directives
    1. Permissions-Policy: accelerometer
    2. Permissions-Policy: ambient-light-sensor
    3. Permissions-Policy: attribution-reporting
    4. Permissions-Policy: autoplay
    5. Permissions-Policy: bluetooth
    6. Permissions-Policy: browsing-topics
    7. Permissions-Policy: camera
    8. Permissions-Policy: compute-pressure
    9. Permissions-Policy: cross-origin-isolated
    10. Permissions-Policy: display-capture
    11. Permissions-Policy: document-domain
    12. Permissions-Policy: encrypted-media
    13. Permissions-Policy: fullscreen
    14. Permissions-Policy: gamepad
    15. Permissions-Policy: geolocation
    16. Permissions-Policy: gyroscope
    17. Permissions-Policy: hid
    18. Permissions-Policy: identity-credentials-get
    19. Permissions-Policy: idle-detection
    20. Permissions-Policy: local-fonts
    21. Permissions-Policy: magnetometer
    22. Permissions-Policy: microphone
    23. Permissions-Policy: midi
    24. Permissions-Policy: otp-credentials
    25. Permissions-Policy: payment
    26. Permissions-Policy: picture-in-picture
    27. Permissions-Policy: publickey-credentials-create
    28. Permissions-Policy: publickey-credentials-get
    29. Permissions-Policy: screen-wake-lock
    30. Permissions-Policy: serial
    31. Permissions-Policy: speaker-selection
    32. Permissions-Policy: storage-access
    33. Permissions-Policy: usb
    34. Permissions-Policy: web-share
    35. Permissions-Policy: window-management
    36. Permissions-Policy: xr-spatial-tracking
  • request header indicates the part of a resource that the server should return. Several parts can be requested at the same time in one Range header, and the server may send back these ranges in a multipart document. If the server sends back ranges, it uses the 206 Partial Content status code for the response. If the ranges are invalid, the server returns the 416 Range Not Satisfiable error.

    A server that doesn't support range requests may ignore the Range header and return the whole resource with a 200 status code. Older browsers used a response header of Accept-Ranges: none to disable features like 'pause' or 'resume' in download managers, but since a server ignoring the Range header has the same meaning as responding with Accept-Ranges: none, the header is rarely used in this way.

    Currently only bytes units are registered which are offsets (zero-indexed & inclusive). If the requested data has a content coding applied, each byte range represents the encoded sequence of bytes, not the bytes that would be obtained after decoding.

    The header is a CORS-safelisted request header when the directive specifies a single byte range.

    Header type Request header
    Forbidden request header No

    • Syntax

    http
    Range: <unit>=<range-start>-
Range: <unit>=<range-start>-<range-end>
Range: <unit>=<range-start>-<range-end>, …, <range-startN>-<range-endN>
Range: <unit>=-<suffix-length>

    Directives

    <unit>

    The unit in which ranges are defined. Currently only bytes are a registered unit.

    <range-start>

    An integer in the given unit indicating the start position of the request range.

    <range-end>

    An integer in the given unit indicating the end position of the requested range. This value is optional and, if omitted, the end of the resource is used as the end of the range.

    <suffix-length>

    An integer indicating the number of units at the end of the resource to return.

    Examples

    The following examples show how to make requests using the Range header for CORS-safelisted requests, and for requesting multiple ranges. Other examples can be found in the CORS-safelisted request header when the value is a single byte range. This means that it can be used in cross-origin requests without triggering a preflight request, which is useful for requesting media and resuming downloads.

    The following example requests the first 500 bytes of a resource:

    http
    Range: bytes=0-499

    To request the second 500 bytes:

    http
    Range: bytes=500-999

    Omitting the end position requests all remaining units of the resource, so the last 100 bytes of a resource with a length of 1000 bytes can be requested using:

    http
    Range: bytes=900-

    Alternatively, if it's unknown how large a resource is, the last n bytes can be requested using a suffix range of -n:

    http
    Range: bytes=-100

    Requesting multiple ranges

    Given a resource with a length of 10000 bytes, the following example requests three separate ranges; 200-999 (800 bytes), 2000-2499 (500 bytes), and finally 9500-. The ranges-specifier value 9500- omits an end position which indicates that all bytes from 9500 onward are part of the third range (500 bytes).

    http
    Range: bytes=200-999, 2000-2499, 9500-

    This example requests the first 500 and last 500 bytes of the file. The request may be rejected by the server if these ranges overlap (if the requested resource was less than 1000 bytes long, for instance).

    http
    Range: bytes=0-499, -500

    Checking if a server supports range requests

    The following curl command makes a HEAD request for an image:

    bash
    curl -v --http1.1 -I https://i.imgur.com/z4d4kWk.jpg
# or using the OPTIONS method:
# curl -v --http1.1 -X OPTIONS https://i.imgur.com/z4d4kWk.jpg

    This results in the following HTTP request:

    http
    HEAD /z4d4kWk.jpg HTTP/1.1
Host: i.imgur.com
User-Agent: curl/8.7.1
Accept: */*

    The server responds with a 200 response, and the Accept-Ranges: bytes header is present (some headers are omitted for brevity):

    http
    HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 146515
Content-Type: image/jpeg
…
Accept-Ranges: bytes

    Specifications

    Specification
    HTTP Semantics
    # field.range

    Browser compatibility

    See also