Should the Access-Control-Expose-Headers
header field be returned along with an entity in response to an 'actual' request?
Or should it only be returned in response to a CORS preflight request?
Or both?
The flowchart is such a good resource I wanted to repost it here in my own answer.
Image from: http://www.html5rocks.com/en/tutorials/cors/#toc-cors-server-flowchart
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With