Computer Configuration > Administrative Templates > Google Chrome
Both
HKLM\Software\Policies\Google\Chrome
Configures support of CORS non-wildcard request headers. Google Chrome version 97 introduces support for CORS non-wildcard request headers. When scripts make a cross-origin network request via fetch() and XMLHttpRequest with a script-added Authorization header, the header must be explicitly allowed by the Access-Control-Allow-Headers header in the CORS preflight response. "Explicitly" here means that the wild card symbol "*" doesn't cover the Authorization header. See https://chromestatus.com/feature/5742041264816128 for more detail. If this policy is not set, or set to True, Google Chrome will support the CORS non-wildcard request headers and behave as described above. When this policy is set to False, chrome will allow the wildcard symbol ("*") in the Access-Control-Allow-Headers header in the CORS preflight response to cover the Authorization header. This Enterprise policy is temporary; it's intended to be removed in the future.