Re: [whatwg/fetch] Allow * for Access-Control-Expose-Headers (#252)

> When the original CORS spec was written, there was an assumption (I assume!) that the preflight OPTIONS response would be served by the same application that would serve the subsequent CORS GET/POST/whatever request. 
>Therefore, that application would have full knowledge of what headers the API might eventually respond with, and which of them should be exposed or suppressed.

'Access-Control-Expose-Headers' is a response header that needs to be on the actual response, not the (pre-flight) OPTIONS response.

I don't quite get the problem description behind the original post?


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/252#issuecomment-292168582

Received on Thursday, 6 April 2017 13:08:24 UTC