[cors] Ability to read Access-Control-Expose-Headers

Hi all,

Is there a reason that Javascript cannot read the Access-Control-*
headers in CORS?

In particular I was trying to work around a bug in Firefox [1] that
means that .getAllResponseHeaders() doesn't get all response headers
for CORS requests. It seems that the nicest way to do this would just
be to iterate over the list of simple-response-headers, and the
contents of the Access-Control-Expose-Headers header.

Unfortunately, I'm not able to read the Access-Control-Expose-Headers
header, because it was not exposed in the
Access-Control-Expose-Headers header :).

In general it seems like a useful introspection mechanism — it would
allow applications to distinguish between "this header was not set"
and "I am not allowed to read this header". It also seems that it
would be useful to be able to read the Access-Control-Allow-Headers,
and Access-Control-Allow-Methods headers so that the javascript
application can adjust its feature set based on what the server will
allow.

Conrad

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=608735

Received on Sunday, 25 September 2011 13:18:05 UTC