[CORS] Add wildcard to Access-Control-Expose-Headers, Access-Control-Allow-Methods, and Access-Control-Allow-Headers

(NeedInfo from)



3 years ago
2 months ago


(Reporter: fscholz, Unassigned, NeedInfo)


(Blocks 1 bug, {dev-doc-needed})

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [domsecurity-backlog2] spec change)



3 years ago
A recent change in the Fetch spec:

> Enable Access-Control-Expose-Headers, Access-Control-Allow-Methods, 
> and Access-Control-Allow-Headers to use a wildcard, with the same 
> restriction as placed upon wildcards in Access-Control-Allow-Origin. 
> Namely, it can only be used for requests where the credentials mode is "omit".

> The Authorization header still needs to be explicitly listed by 
> Access-Control-Allow-Headers even with the wildcard.

> This also makes the CORS cache wildcard-aware and updates some of the
> terminology around CORS caches to share more concepts.

Comment 1

3 years ago
The new syntax:

Access-Control-Expose-Headers = #field-name / wildcard
Access-Control-Allow-Methods  = #method / wildcard
Access-Control-Allow-Headers  = #field-name-or-wildcard

The difference between the Access-Control-Expose-Headers and Access-Control-Allow-Headers production is that the latter needs to be able to handle `*, Authorization` as header value whereas the former does not.
Severity: normal → enhancement
Priority: -- → P3
Whiteboard: [domsecurity-backlog2] spec change

Comment 2

2 years ago
Basic tests for Access-Control-Expose-Headers: https://github.com/w3c/web-platform-tests/pull/5047.

Comment 3

2 years ago
Basic tests for Access-Control-Allow-Methods/Headers: * at https://github.com/w3c/web-platform-tests/pull/5050.

Comment 4

2 years ago
There is an open spec issue here https://github.com/whatwg/fetch/issues/548

Comment 5

2 years ago
That's now resolved via https://github.com/whatwg/fetch/pull/592. The semantics ended up being tweaked slightly and adjusted tests are at https://github.com/w3c/web-platform-tests/pull/7223 (will land soon). There's nothing blocking this now that I'm aware of.


11 months ago
Blocks: fetch

Comment 6

5 months ago
any update ?


5 months ago
Component: DOM: Security → DOM: Networking
Andrea, who should work on this bug?
Flags: needinfo?(amarchesini)
You need to log in before you can comment on or make changes to this bug.