[Webkit-unassigned] [Bug 165508] New: Add wildcard to Access-Control-Expose-Headers, Access-Control-Allow-Methods, and Access-Control-Allow-Headers

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Dec 6 19:35:41 PST 2016 

https://bugs.webkit.org/show_bug.cgi?id=165508

            Bug ID: 165508
           Summary: Add wildcard to Access-Control-Expose-Headers,
                    Access-Control-Allow-Methods, and
                    Access-Control-Allow-Headers
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Page Loading
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mike at w3.org
                CC: beidson at apple.com

May 2016 change in the Fetch spec:
https://github.com/whatwg/fetch/commit/cdbb13c08650b10c9ebfc54d046bec0639e7ba7c

> Enable Access-Control-Expose-Headers, Access-Control-Allow-Methods, 
> and Access-Control-Allow-Headers to use a wildcard, with the same 
> restriction as placed upon wildcards in Access-Control-Allow-Origin. 
> Namely, it can only be used for requests where the credentials mode is "omit".

> The Authorization header still needs to be explicitly listed by 
> Access-Control-Allow-Headers even with the wildcard.

> This also makes the CORS cache wildcard-aware and updates some of the
> terminology around CORS caches to share more concepts.

The new syntax:

Access-Control-Expose-Headers = #field-name / wildcard
Access-Control-Allow-Methods  = #method / wildcard
Access-Control-Allow-Headers  = #field-name-or-wildcard

The difference between the Access-Control-Expose-Headers and Access-Control-Allow-Headers production is that the latter needs to be able to handle `*, Authorization` as header value whereas the former does not.

Blink bug: https://bugs.chromium.org/p/chromium/issues/detail?id=615313
Gecko bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1309358

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161207/1bddf2b7/attachment.html>

More information about the webkit-unassigned mailing list