A recent change in the Fetch spec: https://github.com/whatwg/fetch/commit/cdbb13c08650b10c9ebfc54d046bec0639e7ba7c > Enable Access-Control-Expose-Headers, Access-Control-Allow-Methods, > and Access-Control-Allow-Headers to use a wildcard, with the same > restriction as placed upon wildcards in Access-Control-Allow-Origin. > Namely, it can only be used for requests where the credentials mode is "omit". > The Authorization header still needs to be explicitly listed by > Access-Control-Allow-Headers even with the wildcard. > This also makes the CORS cache wildcard-aware and updates some of the > terminology around CORS caches to share more concepts.
The new syntax: Access-Control-Expose-Headers = #field-name / wildcard Access-Control-Allow-Methods = #method / wildcard Access-Control-Allow-Headers = #field-name-or-wildcard The difference between the Access-Control-Expose-Headers and Access-Control-Allow-Headers production is that the latter needs to be able to handle `*, Authorization` as header value whereas the former does not.
Severity: normal → enhancement
Priority: -- → P3
Whiteboard: [domsecurity-backlog2] spec change
Basic tests for Access-Control-Expose-Headers: https://github.com/w3c/web-platform-tests/pull/5047.
Basic tests for Access-Control-Allow-Methods/Headers: * at https://github.com/w3c/web-platform-tests/pull/5050.
There is an open spec issue here https://github.com/whatwg/fetch/issues/548
That's now resolved via https://github.com/whatwg/fetch/pull/592. The semantics ended up being tweaked slightly and adjusted tests are at https://github.com/w3c/web-platform-tests/pull/7223 (will land soon). There's nothing blocking this now that I'm aware of.
any update ?
Andrea, who should work on this bug?
You need to log in before you can comment on or make changes to this bug.