[CORS] Add wildcard to Access-Control-Expose-Headers, Access-Control-Allow-Methods, and Access-Control-Allow-Headers

NEW
Unassigned
(NeedInfo from)

Status

()

enhancement
P3
normal
3 years ago
2 months ago

People

(Reporter: fscholz, Unassigned, NeedInfo)

Tracking

(Blocks 1 bug, {dev-doc-needed})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [domsecurity-backlog2] spec change)

(Reporter)

Description

3 years ago
A recent change in the Fetch spec:
https://github.com/whatwg/fetch/commit/cdbb13c08650b10c9ebfc54d046bec0639e7ba7c

> Enable Access-Control-Expose-Headers, Access-Control-Allow-Methods, 
> and Access-Control-Allow-Headers to use a wildcard, with the same 
> restriction as placed upon wildcards in Access-Control-Allow-Origin. 
> Namely, it can only be used for requests where the credentials mode is "omit".

> The Authorization header still needs to be explicitly listed by 
> Access-Control-Allow-Headers even with the wildcard.

> This also makes the CORS cache wildcard-aware and updates some of the
> terminology around CORS caches to share more concepts.
(Reporter)

Comment 1

3 years ago
The new syntax:

Access-Control-Expose-Headers = #field-name / wildcard
Access-Control-Allow-Methods  = #method / wildcard
Access-Control-Allow-Headers  = #field-name-or-wildcard

The difference between the Access-Control-Expose-Headers and Access-Control-Allow-Headers production is that the latter needs to be able to handle `*, Authorization` as header value whereas the former does not.
Severity: normal → enhancement
Priority: -- → P3
Whiteboard: [domsecurity-backlog2] spec change

Comment 2

2 years ago
Basic tests for Access-Control-Expose-Headers: https://github.com/w3c/web-platform-tests/pull/5047.

Comment 3

2 years ago
Basic tests for Access-Control-Allow-Methods/Headers: * at https://github.com/w3c/web-platform-tests/pull/5050.
(Reporter)

Comment 4

2 years ago
There is an open spec issue here https://github.com/whatwg/fetch/issues/548

Comment 5

2 years ago
That's now resolved via https://github.com/whatwg/fetch/pull/592. The semantics ended up being tweaked slightly and adjusted tests are at https://github.com/w3c/web-platform-tests/pull/7223 (will land soon). There's nothing blocking this now that I'm aware of.

Updated

11 months ago
Blocks: fetch

Comment 6

5 months ago
any update ?

Updated

5 months ago
Component: DOM: Security → DOM: Networking
Andrea, who should work on this bug?
Flags: needinfo?(amarchesini)
You need to log in before you can comment on or make changes to this bug.