Revise access control expose header

lib/cors-anywhere.js

@@ -51,11 +51,24 @@ function isValidHostName(hostname) {
  * @param request {ServerRequest}
  */
 function withCORS(headers, request) {
-  headers['access-control-allow-origin'] = '*';
-  var corsMaxAge = request.corsAnywhereRequestState.corsMaxAge;
-  if (request.method === 'OPTIONS' && corsMaxAge) {
-    headers['access-control-max-age'] = corsMaxAge;
+  if (request.method === 'OPTIONS') {
+    var corsMaxAge = request.corsAnywhereRequestState.corsMaxAge;
+    if (corsMaxAge) {
+      headers['access-control-max-age'] = corsMaxAge;
+    }
+  } else {
+    headers['access-control-expose-headers'] = Object.keys(headers).filter(
+      function(header){
+        if (header.match(/^cache-control|content-language|content-length|content-type|expires|last-modified|pragma$/)) {
+          return false;
+        } else {
+          return header;
+        }
+      }).join(',');
   }
+
+  headers['access-control-allow-origin'] = '*';
+
   if (request.headers['access-control-request-method']) {
     headers['access-control-allow-methods'] = request.headers['access-control-request-method'];
     delete request.headers['access-control-request-method'];
@@ -65,7 +78,7 @@ function withCORS(headers, request) {
     delete request.headers['access-control-request-headers'];
   }
 
-  headers['access-control-expose-headers'] = Object.keys(headers).join(',');
+
 
   return headers;
 }

test/setup.js

@@ -54,8 +54,16 @@ function echoheaders(origin) {
 
 nock('http://example.com')
   .persist()
+// replyContentLength() has no effect unless response body is JSON and will get
+// stringified, use defaultReplyHeaders() instead
+// https://github.com/nock/nock/blob/626021770b9b2fa52860c19f6b7a6033d64125e3/lib/interceptor.js#L176
+  .defaultReplyHeaders({
+    'Content-Length': function (req, res, body) {return body.length;},
+  })
   .get('/')
-  .reply(200, 'Response from example.com')
+  .reply(200, 'Response from example.com', {
+    'Content-Type': 'text/plain',
+  })
 
   .post('/echopost')
   .reply(200, function(uri, requestBody) {

test/test.js

@@ -29,6 +29,17 @@ request.Test.prototype.expectNoHeader = function(header, done) {
   return done ? this.end(done) : this;
 };
 
+request.Test.prototype.expectHeaderNotMatch = function(header, regexp, done) {
+  this.expect(function(res) {
+    var headerVal = res.headers[header.toLowerCase()];
+    if (regexp.test(headerVal)) {
+      return new Error('Header "' + header + '" should not contain "'
+                        + String(regexp) + '" got "' + headerVal + '"');
+    }
+  });
+  return done ? this.end(done) : this;
+};
+
 var cors_anywhere;
 var cors_anywhere_port;
 function stopServer(done) {
@@ -92,6 +103,10 @@ describe('Basic functionality', function() {
       .get('/example.com')
       .expect('Access-Control-Allow-Origin', '*')
       .expect('x-request-url', 'http://example.com/')
+      .expect('Content-Length', '25')
+      .expectHeaderNotMatch('access-control-expose-headers', /content-length/)
+      .expectHeaderNotMatch('access-control-expose-headers', /content-type/)
+      .expectHeaderNotMatch('access-control-expose-headers', /access-control-allow-origin/)
       .expect(200, 'Response from example.com', done);
   });
 
@@ -277,6 +292,7 @@ describe('Basic functionality', function() {
     request(cors_anywhere)
       .options('/')
       .expect('Access-Control-Allow-Origin', '*')
+      .expectNoHeader('access-control-expose-headers')
       .expect(200, '', done);
   });
 
@@ -288,6 +304,7 @@ describe('Basic functionality', function() {
       .expect('Access-Control-Allow-Origin', '*')
       .expect('Access-Control-Allow-Methods', 'DELETE')
       .expect('Access-Control-Allow-Headers', 'X-Tralala')
+      .expectNoHeader('access-control-expose-headers')
       .expect(200, '', done);
   });
 
@@ -297,6 +314,7 @@ describe('Basic functionality', function() {
     request(cors_anywhere)
       .options('//bogus')
       .expect('Access-Control-Allow-Origin', '*')
+      .expectNoHeader('access-control-expose-headers')
       .expect(200, '', done);
   });