- From: Hamish Willee <notifications@github.com>
- Date: Sun, 11 Jun 2023 17:59:19 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 12 June 2023 00:59:25 UTC
[3.2.4. HTTP new-header syntax](https://fetch.spec.whatwg.org/#http-new-header-syntax) has a note in the end that says this: > For `Access-Control-Expose-Headers`, `Access-Control-Allow-Methods`, and `Access-Control-Allow-Headers` response [headers](https://fetch.spec.whatwg.org/#concept-header), the [value](https://fetch.spec.whatwg.org/#concept-header-value) `*` counts as a wildcard for [requests](https://fetch.spec.whatwg.org/#concept-request) without [credentials](https://fetch.spec.whatwg.org/#credentials). For such [requests](https://fetch.spec.whatwg.org/#concept-request) there is no way to solely match a [header name](https://fetch.spec.whatwg.org/#header-name) or [method](https://fetch.spec.whatwg.org/#concept-method) that is `*`. That makes sense for the other two headers, but maybe not for `Access-Control-Expose-Headers`. Specifically, that method tells a client what response headers it can expose to clients. The `Authorization` header would never appear in a response so is irrelevant here. Are any of the other credentials relevant in this context? -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1671 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/issues/1671@github.com>
Received on Monday, 12 June 2023 00:59:25 UTC