Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AllowAll and Access-Control-Expose-Headers. #79

Closed
yonderblue opened this issue May 16, 2019 · 5 comments · May be fixed by #84
Closed

AllowAll and Access-Control-Expose-Headers. #79

yonderblue opened this issue May 16, 2019 · 5 comments · May be fixed by #84

Comments

@yonderblue
Copy link

Just a suggestion, since wildcard for Access-Control-Expose-Headers isn't widely supported yet, I would recommend filling Access-Control-Expose-Headers in the AllowAll configuration with the result of whatever is set in the wrapped handler minus any of the 6 default values and other Access-Control-* headers.
@rs
Copy link
Owner

rs commented May 23, 2019

Would you be willing to submit a PR?

yonderblue pushed a commit to yonderblue/cors that referenced this issue Jun 14, 2019
Support wildcard for ExposedHeaders option.
881667a 
Via echoing back all headers in a wrapped response writer since browsers
don't currently support the wildcard.

Fixes rs#79
@yonderblue yonderblue mentioned this issue Jun 14, 2019
Open
yonderblue pushed a commit to yonderblue/cors that referenced this issue Jun 14, 2019
Support wildcard for ExposedHeaders option.
e5b7366 
Via echoing back all headers in a wrapped response writer since browsers
don't currently support the wildcard.

Fixes rs#79
@yonderblue
Copy link
Author

Sure thing, PR up.

@bweston92
Copy link

Any update on this? I think this is causing me some issues.

@jub0bs
Copy link
Contributor

jub0bs commented Aug 27, 2023
edited

filling Access-Control-Expose-Headers [...] with the result of whatever is set in the wrapped handler [...]

I thought about this, and I don't think it can be done. In general, the wrapped handler may write to the response body; and after that, it would be too late for the middleware to include another response header (Access-Control-Expose-Headers).

One thing you can do is include the following header:

Access-Control-Expose-Headers: *

but that's only compatible with anonymous (as opposed to credentialed) access.

@jub0bs
Copy link
Contributor

jub0bs commented Dec 30, 2023
edited

@rs Because Access-Control-Expose-Headers: * is now supported by all modern browsers for non-credentialed access, I think you could likely close this issue.

@rs rs closed this as completed Dec 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support wildcard for ExposedHeaders option. yonderblue/cors
4 participants
@rs @yonderblue @bweston92 @jub0bs