- From: Anne van Kesteren <annevk@opera.com>
- Date: Mon, 26 Sep 2011 08:35:07 +0200
- To: public-webapps@w3.org, Conrad Irwin <conrad.irwin@gmail.com>
On Sun, 25 Sep 2011 00:50:58 +0200, Conrad Irwin <conrad.irwin@gmail.com> wrote: > Is there a reason that Javascript cannot read the Access-Control-* > headers in CORS? > > In particular I was trying to work around a bug in Firefox [1] that > means that .getAllResponseHeaders() doesn't get all response headers > for CORS requests. It seems that the nicest way to do this would just > be to iterate over the list of simple-response-headers, and the > contents of the Access-Control-Expose-Headers header. > > Unfortunately, I'm not able to read the Access-Control-Expose-Headers > header, because it was not exposed in the > Access-Control-Expose-Headers header :). > > In general it seems like a useful introspection mechanism — it would > allow applications to distinguish between "this header was not set" > and "I am not allowed to read this header". It also seems that it > would be useful to be able to read the Access-Control-Allow-Headers, > and Access-Control-Allow-Methods headers so that the javascript > application can adjust its feature set based on what the server will > allow. One reason I can think of is that we do not want to give attackers more information than strictly necessary. Exposing "Access-Control-Expose-Headers" would be different from what getAllResponseHeaders() returns. Gecko should just fix its bug. > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=608735 -- Anne van Kesteren http://annevankesteren.nl/
Received on Monday, 26 September 2011 06:35:39 UTC