So you can specify an authentication token that has no authentication in it "alg: nonE", and get authenticated as anyone you like.
The real question isn't about the capitalization, it's why the heck does the token allow a "none" algorithm.
> The Authentication API prevented the use of alg: none with a case sensitive filter. This means that simply capitalising any letter e.g. alg: nonE, allowed tokens to be forged.
The option to have 'alg: none' should never be used as it is still the biggest footgun in the JOSE specification. I'm not sure why on earth you need a case-sensitive filter on this, but even giving the user a choice of ciphers to use is a recipe for disaster. Thus JWT is still a cryptographically weak standard.
PASETO  or Branca  are cryptographically stronger alternatives to use over JWT here.