Revise access control expose header #280
Open
Commits on Sep 30, 2020
-
return Access-Control-Expose-Headers only if content request
-Access-Control-Expose-Headers is only for what content response headers can be visible inside Javascript, nobody will do XHR preflight OPTIONS verb by hand, saves bytes on wire and undefined behaviour -dont deref request.corsAnywhereRequestState.corsMaxAge unless value used source https://web.archive.org/web/20200110204952/https://www.html5rocks.com/static/images/cors_server_flowchart.png
-
"Access-Control-Expose-Headers" shouldnt contain access-control-* values
-XHR code will not inspect the A-C-* values, it can't even get them with getResponseHeader() if their is a fault with A-C-* headers moving "headers['access-control-allow-origin'] = '*';" to after Expose-Headers computation keeps "access-control-allow-origin" out of Expose-Headers value
-
A-C-Expose-Headers: dont include the 7 CORS-safelisted response-headers
https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name saves bytes over wire
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.