Re: [fetch] Add new Access-Control-Suppress-Headers CORS response header (#253)

@sicking, in fact, the two header options lend themselves well to working together. The following code could be used (as before, implemented in many possible places 'up the chain' between the backend code and the browser - generic init code, Apache config, load-balancer, CDN, whatever):

`Access-Control-Expose-Headers: *`
`Access-Control-Suppress-Headers: x-secure`

Browsers would treat this to mean that all headers (except for `x-secure`) should be exposed. So we get the benefit of the generic "expose all headers" with the specific "except for this one header, if it's passed". No subsequent code changes needed to expose new headers (unless, of course, the new header should not be exposed).

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/253#issuecomment-199992555

Received on Tuesday, 22 March 2016 20:00:18 UTC