Re: [fetch] Add new Access-Control-Suppress-Headers CORS response header (#253) from roryhewitt on 2016-03-22 (public-webapps-github@w3.org from March 2016)

From: roryhewitt <notifications@github.com>
Date: Tue, 22 Mar 2016 10:28:30 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/253/199919756@github.com>

@sicking, so prior to AC-Expose-Headers, no headers were exposed except for the ones on the safelist? And then when AC-Expose-Headers was added, we had the ability to  specify additional _specific_ headers to expose?

I agree with the original idea that not exposing _any_ non-safe headers is too restrictive. The problem as I see it, is that without allowing either of the following:

`Access-Control-Expose-Headers: *`

or

`Access-Control-Suppress-Headers: <list-of-headers>`

then we are still hobbled by the fact that developers need to update their CORS setup every time they add a new header to an API response which _might_ need to be accessed by client-side code. I know this doesn't seem like a big deal, but in my experience working with development teams, there can be a huge disconnect between the back-end developers, front-end developers and whoever is in charge of the web server.

I think that **Access-Control-Suppress-Headers** would be a simpler, and safer solution - allowing a team to specify the following:

`Access-Control-Suppress-Headers: X-Secure, X-Debugging`

would be a one-time change that would allow development teams to add new response headers on an ongoing basis, without needing to update the **Access-Control-Expose-Headers** value each time. It's also clearer to both ends what is being done - specific headers are being suppressed.

This would change the [spec](https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name) to be as follows (addition of the line at the end):

---

A **CORS-safelisted response-header name**, given a header list _list_, is a header name that is one of:

`Cache-Control`
`Content-Language`
`Content-Type`
`Expires`
`Last-Modified`
`Pragma`.
Any value resulting from parsing `Access-Control-Expose-Headers` in _list_ that is not a forbidden response-header name.
**The above list must exclude any value resulting from parsing `Access-Control-Suppress-Headers` in _list_.**

---

Originally I said that I thought that **Access-Control-Expose-Headers** and **Access-Control-Suppress-Headers** should be mutually exclusive, but on further consideration, it makes sense if **Access-Control-Suppress-Headers** _overrides_ **Access-Control-Expose-Headers**. In other words, if the response includes the following:

`Access-Control-Expose-Headers: X-Header-1, X-Header-2, X-Header-3`
`Access-Control-Suppress-Headers: X-Header-2`

then the CORS-safelisted response-header names for the request would be:

`Cache-Control`
`Content-Language`
`Content-Type`
`Expires`
`Last-Modified`
`Pragma`.
`X-Header-1`
`X-Header-3`

So there would be no **error** if both **Access-Control-Suppress-Headers** _and_ **Access-Control-Expose-Headers** are specified, although typically only one of them would be specified.

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/253#issuecomment-199919756

Received on Tuesday, 22 March 2016 17:28:58 UTC