Auth0-spa-js cors issue - Accept-Language not allowed by Access-Control-Allow-Headers

Using auth0-spa-js (v1.19.0), if I set any Locale (‘en_GB’ for example) in the browser, the browser then sends an ‘accept-language’ header with requests to the auth0 token endpoint (e.g. via getTokenSilently).

This header isn’t configured in Auth0’s ‘Access-Control-Allow-Headers’, so the request is rejected. The allowed headers do include ‘X-Request-Language’.

The message in the console:
Access to XMLHttpRequest at ‘’ from origin ‘http://localhost:3000’ has been blocked by CORS policy: Request header field accept-language is not allowed by Access-Control-Allow-Headers in preflight response.

Is this expected? Is there a way to configure the ‘Access-Control-Allow-Headers’ for a tenant to add ‘Accept-Language’. Or to strip out this header from auth requests sent from auth0-spa-js (or convert it to ‘X-Request-Language’)?