<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Add wildcard to Access-Control-Expose-Headers, Access-Control-Allow-Methods, and Access-Control-Allow-Headers"

   href="https://bugs.webkit.org/show_bug.cgi?id=165508">165508</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Add wildcard to Access-Control-Expose-Headers, Access-Control-Allow-Methods, and Access-Control-Allow-Headers

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>WebKit Nightly Build

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>Unspecified

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Unspecified

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>Page Loading

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>mike&#64;w3.org

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>beidson&#64;apple.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>May 2016 change in the Fetch spec:

<a href="https://github.com/whatwg/fetch/commit/cdbb13c08650b10c9ebfc54d046bec0639e7ba7c">https://github.com/whatwg/fetch/commit/cdbb13c08650b10c9ebfc54d046bec0639e7ba7c</a>

<span class="quote">&gt; Enable Access-Control-Expose-Headers, Access-Control-Allow-Methods, 

&gt; and Access-Control-Allow-Headers to use a wildcard, with the same 

&gt; restriction as placed upon wildcards in Access-Control-Allow-Origin. 

&gt; Namely, it can only be used for requests where the credentials mode is &quot;omit&quot;.</span >

<span class="quote">&gt; The Authorization header still needs to be explicitly listed by 

&gt; Access-Control-Allow-Headers even with the wildcard.</span >

<span class="quote">&gt; This also makes the CORS cache wildcard-aware and updates some of the

&gt; terminology around CORS caches to share more concepts.</span >

The new syntax:

Access-Control-Expose-Headers = #field-name / wildcard

Access-Control-Allow-Methods  = #method / wildcard

Access-Control-Allow-Headers  = #field-name-or-wildcard

The difference between the Access-Control-Expose-Headers and Access-Control-Allow-Headers production is that the latter needs to be able to handle `*, Authorization` as header value whereas the former does not.

Blink bug: <a href="https://bugs.chromium.org/p/chromium/issues/detail?id=615313">https://bugs.chromium.org/p/chromium/issues/detail?id=615313</a>

Gecko bug: <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1309358">https://bugzilla.mozilla.org/show_bug.cgi?id=1309358</a></pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>