W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2011

Re: [cors] Ability to read Access-Control-Expose-Headers

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 26 Sep 2011 08:35:07 +0200
To: public-webapps@w3.org, Conrad Irwin <conrad.irwin@gmail.com>
Message-ID: <op.v2ekkt1u64w2qv@annevk-macbookpro.local>
On Sun, 25 Sep 2011 00:50:58 +0200, Conrad Irwin <conrad.irwin@gmail.com>  
> Is there a reason that Javascript cannot read the Access-Control-*
> headers in CORS?
> In particular I was trying to work around a bug in Firefox [1] that
> means that .getAllResponseHeaders() doesn't get all response headers
> for CORS requests. It seems that the nicest way to do this would just
> be to iterate over the list of simple-response-headers, and the
> contents of the Access-Control-Expose-Headers header.
> Unfortunately, I'm not able to read the Access-Control-Expose-Headers
> header, because it was not exposed in the
> Access-Control-Expose-Headers header :).
> In general it seems like a useful introspection mechanism — it would
> allow applications to distinguish between "this header was not set"
> and "I am not allowed to read this header". It also seems that it
> would be useful to be able to read the Access-Control-Allow-Headers,
> and Access-Control-Allow-Methods headers so that the javascript
> application can adjust its feature set based on what the server will
> allow.

One reason I can think of is that we do not want to give attackers more  
information than strictly necessary. Exposing  
"Access-Control-Expose-Headers" would be different from what  
getAllResponseHeaders() returns. Gecko should just fix its bug.

> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=608735

Anne van Kesteren
Received on Monday, 26 September 2011 06:35:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:24 UTC