Menu
In the HTTP CORS spec, what's the difference between 5.6 Access-Control-Allow-Headers and 5.3 Access-Control-Expose-Headers?
[Allow-Headers] header indicates, as part of the response to a preflight request, which header field names can be used during the actual request
UPDATE: I was hoping someone would tell me one of these headers is sent for every request (pre-flight)... However, there is yet another header that is used for that: 5.9 Access-Control-Request-Headers
[Request-Headers] header indicates which headers will be used in the actual request as part of the preflight request
BTW, I love how they (W3C) carefully worded 5.9 so that the request header can have a field called _Something_ Request Header.
I'm completely lost in the spec, is there a diagram where I can understand this process better?
934
The Access-Control-Expose-Headers response header allows a server to indicate which response headers should be made available to scripts running in the browser, in response to a cross-origin request. Only the CORS-safelisted response headers are exposed by default.
The allow-header entry specifies which headers are presented in preflight responses to clients as acceptable to use when making cross-origin requests to resources which this policy is applicable to.
Access-Control-Allow-Headers
Used in response to a preflight request to indicate which HTTP headers can be used when making the actual request.
Access-Control-Expose-Headers
This header lets a server whitelist headers that browsers are allowed to access. For example:
Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
115
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
