Access-Control-Expose-Headers should be sent in preflight response
damien-talos opened this issue · 2 comments
damien-talos commented
Currently, the Access-Control-Expose-Headers header is only sent in the real response, not the preflight response.
This means that it has no effect, since the browser only uses the headers sent on the preflight response.
Is there any reason why the writing of the headers, is not shared between preflight and actual handlers?
jub0bs commented
@damien-talos You're mistaken: the Access-Control-Expose-Headers header belongs in the actual response, not in the preflight response. See the relevant section of the Fetch standard:
An HTTP response to a CORS request that is not a CORS-preflight request can also include the following header:
Access-Control-Expose-Headers
- Indicates which headers can be exposed as part of the response by listing their names.
(my emphasis)