Re: [cors] Ability to read Access-Control-Expose-Headers

On Sun, 25 Sep 2011 00:50:58 +0200, Conrad Irwin <>  
> Is there a reason that Javascript cannot read the Access-Control-*
> headers in CORS?
> In particular I was trying to work around a bug in Firefox [1] that
> means that .getAllResponseHeaders() doesn't get all response headers
> for CORS requests. It seems that the nicest way to do this would just
> be to iterate over the list of simple-response-headers, and the
> contents of the Access-Control-Expose-Headers header.
> Unfortunately, I'm not able to read the Access-Control-Expose-Headers
> header, because it was not exposed in the
> Access-Control-Expose-Headers header :).
> In general it seems like a useful introspection mechanism — it would
> allow applications to distinguish between "this header was not set"
> and "I am not allowed to read this header". It also seems that it
> would be useful to be able to read the Access-Control-Allow-Headers,
> and Access-Control-Allow-Methods headers so that the javascript
> application can adjust its feature set based on what the server will
> allow.

One reason I can think of is that we do not want to give attackers more  
information than strictly necessary. Exposing  
"Access-Control-Expose-Headers" would be different from what  
getAllResponseHeaders() returns. Gecko should just fix its bug.

> [1]

Anne van Kesteren

Received on Monday, 26 September 2011 06:35:39 UTC