Note about credentials & wildcards probably incorrect for Access-Control-Expose-Headers
hamishwillee opened this issue · comments
3.2.4. HTTP new-header syntax has a note in the end that says this:
For
Access-Control-Expose-Headers
,Access-Control-Allow-Methods
, andAccess-Control-Allow-Headers
response headers, the value*
counts as a wildcard for requests without credentials. For such requests there is no way to solely match a header name or method that is*
.
That makes sense for the other two headers, but maybe not for Access-Control-Expose-Headers
. Specifically, that method tells a client what response headers it can expose to clients. The Authorization
header would never appear in a response so is irrelevant here. How would cookies or other credential information be relevant in this context?
I think that means that *
should allow sharing of all response headers. Right?
This fell out of a Mozilla bugzilla discussion here: https://bugzilla.mozilla.org/show_bug.cgi?id=1687364#c5
We only allow wildcarding for non-credentialed requests. To prevent responses from accidentally sharing too much information. So the note is accurate. *
is a wildcard, but only if the request is non-credentialed. And when it functions as a wildcard, you cannot match a header whose name is *
.
Edit: having looked at the Mozilla bug, this note is unrelated to Authorization
.